[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [dist-obj] Extranet security
They don't mind manually entering IP addresses in router
tables, but they do mind manually entering IP addresses on
Proxy Servers. They do want SSL traffic over a Private
network but they don't want to secure the DNS service.
The real risk is that someone pulls an inside job. The
weakest links are the ones that connect the chairs to the
> "van Eijk, Peter (NL - Diemen)" wrote:
> Thanks for your comments.
> I'l give you a little more background info.
> We are talking about 5 to 8 organisations, each with 2000
> to 10.000
> client stations, all behind firewall.
> Using the Internet for links between organisations is
> DNS is a must because of the network management issues.
> Nobody wants to
> have hardcoded IP adresses in their clients and servers,
> and especially
> not if they are somebody else's IP adresses.
> You might isolate things into a proxy, but the proxy may
> well have to
> interface to a number of these extranets, that only
> overlap a little.
> It'll be a complicated proxy setting, if you ever get it
> The principle that seems to be relevant here is that it is
> to be avoided
> very much that a configuration change involves coordinated
> between two (let alone more) parties. Case in point: on
> some link
> between these organisations illegal IP adresses are being
> used that are
> a historic legacy. Both organisations have manually edited
> tables, and one of them actually needs a NAT box for this
> address range.
> Yet, they find it too complicated to coordinate the
> Actually, my question was more limited: what about the
> risk of a public
> DNS domain server that discloses an internal IP address
> (which is not
> routable from the Internet)?
> Who has ran into similar situations?
> > Hi
> > This forum may or may not be the place to ask this
> > but it appears
> > to me that you might be in a position to point me to
> > additional resources.
> > My question is outlined below.
> > In extranet situations it is desirable to access servers
> from one
> > organisation with clients from another organisation. The
> > My current questions are: what are the real risks? and
> how would a
> > security auditor judge a setup as outlined above?
> This e-mail message and its attachments are subject to the
> disclaimer published at the following website of Deloitte
> & Touche :
To manage your subscription, mailto:email@example.com
Archives, FAQ, etc. http://www.distributedcoalition.org/mailing_lists/