[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [dist-obj] Extranet security
Albert Scherbinsky wrote:
> Kevin Dick wrote:
> > Albert Scherbinsky wrote:
> > >
> > > Kevin Dick wrote:
> > > > > Don't use DNS, but do use domain names. Do it with host file
> > > > > settings on the communicating nodes.
> > > >
> > > > I had thought of this, but I don't know much about how DNS clients on
> > > > various platforms work. Wouldn't it require manipulating the host file
> > > > settings on every client? With a lot of clients, this could be a
> > > > problem, especially if you think there's a chance the server IP address
> > > > may change occasionally.
> > >
> > > I think he said we were talking about web access. So, I am
> > > assuming that all the clients are behind a firewall and
> > > access the remote private web server through a proxy server.
> > > I believe then that only the machine the proxy sits on needs
> > > to have its host file set.
> > But I thought the channel would be SSL encrypted, which typically
> > bypasses the proxy.
> Doesn't bypassing the proxy defeat the purpose of a
No. The primary purpose of the firewall is to prevent access to
internal systems by outsiders. They do this by inspecting the incoming
and outgoing packets in various ways (depending on whether it's a packet
filter, application level, etc.). The reason they do this is because IP
provides no authentication and no mesage integrity so it's easy for an
attacker to impersonate or alter legitimate traffic.
SSL provides end-to-end authentication and encryption, so it's far
superior from a security perspective to plain IP even with firewall
inspection. However, an SSL encrypted link is going to be opaque to
this sort of inspection. Therefore, most firewalls by default don't
touch traffic on port 443.
> My guess is, from the fact that they are going to the extent
> of using a private network for some traffic, that their
> security needs are higher than typical.
I agree. It's precisely this higher requirement that would drive them
to choose SSL for the link and avoid the firewall.
To manage your subscription, mailto:email@example.com
Archives, FAQ, etc. http://www.distributedcoalition.org/mailing_lists/