Firewall Wizards mailing list archives

RE: Sources for Extranet Designs?

From: "Wes Noonan" <mailinglists () wjnconsulting com>
Date: Mon, 23 Feb 2004 13:31:12 -0600

1.) If you say you should never allow access to resources on your
protected or internal network, how do you handle giving access to
services that reside on machines that cannot be duplicated (i.e.
expensive mainframes)?


There are a couple of approaches that I can think of off hand. Approach 1 is
to design the services with extranet connections in mind. Simply put, maybe
the mainframe isn't the right place to house that resource. This is probably
not the answer that you want to hear though. Approach 2 is to accept that
you have a business limitation that is going to force you to implement a
less than ideal security solution. At that point, you mitigate it. What
precise ports need to be opened from the extranet to the internal resource
and grant *only* that access. If they need SQL access but not NFS access
then make sure that your firewall only permits SQL traffic to pass between
the two networks. Things like that.

2.) Do most companies require routable address on their extranet?
Currently we use RFC1918 address for our extranet, but we see that this
will become a problem in the future as we add partners.


Depends. Assuming that you are going to be using firewalls and advertising
your internal resources as something else (through the use of NAT, etc.)
then you can do that and make the routable addresses what the extranet
partners think they are going to connect with. That being said, you can
pretty much pick any RFC1918 address space at that point and use it in a
similar fashion. The obvious alternative is that someone will need to change
their address space.

More detailed design you will probably have to pay me for. :-)

One thing that this scenario really graphically depicts is why separation of
resources is such a valuable objective. Sure, it sounds really nice to have
all your stuff running on a mainframe running Linux hosts but these are the
kinds of security problems you will then run into. (feel free to expand this
statement as you see fit - i.e. integrated firewall/ids/content filter/spam
control/virus scanning or separate switches vs. VLANs).

HTH 

Wes Noonan
mailinglists () wjnconsulting com  
http://www.wjnconsulting.com  
Hardening Network Infrastructure - A concise how to guide
Available Spring 2004
Order at http://tinyurl.com/2nof4 



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Sources for Extranet Designs?, (continued)
- RE: Sources for Extranet Designs? Baumann, Sean C. (Feb 23)
  - RE: Sources for Extranet Designs? Paul Robertson (Feb 23)
  - RE: Sources for Extranet Designs? R. DuFresne (Feb 23)
    - RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
    - RE: Sources for Extranet Designs? Marcus J. Ranum (Feb 23)
- RE: Sources for Extranet Designs? Don Parker (Feb 23)
- RE: Sources for Extranet Designs? Behm, Jeffrey L. (Feb 23)
  - RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
- RE: Sources for Extranet Designs? Frederick M Avolio (Feb 23)
- RE: Sources for Extranet Designs? Baumann, Sean C. (Feb 23)
  - RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
    - RE: Sources for Extranet Designs? Bob Alberti (Feb 23)
    - RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
  - RE: Sources for Extranet Designs? Daniel Linder (Feb 23)
    - RE: Sources for Extranet Designs? Paul Robertson (Feb 23)
    - RE: Sources for Extranet Designs? Marcus J. Ranum (Feb 23)
    - RE: Sources for Extranet Designs? Marcus J. Ranum (Feb 23)
    - Re: Sources for Extranet Designs? Dragos Ruiu (Feb 23)
  - Re: Sources for Extranet Designs? George Capehart (Feb 24)
- RE: Sources for Extranet Designs? Baumann, Sean C. (Feb 23)
  - RE: Sources for Extranet Designs? Wes Noonan (Feb 23)

(Thread continues...)