[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dist-obj] Extranet security

To: "van Eijk, Peter (NL - Diemen)" <pvaneijk@deloitte.nl>
Subject: Re: [dist-obj] Extranet security
From: Albert Scherbinsky <alberts@rogers.wave.ca>
Date: Fri, 13 Jul 2001 15:45:59 -0400
CC: dist-obj@distributedcoalition.org
Delivered-To: distcoal-dist-obj-archive@distributedcoalition.org
Delivered-To: mailing list dist-obj@distributedcoalition.org
list-help:
list-post:
list-unsubscribe:
Mailing-List: contact dist-obj-help@distributedcoalition.org; run by ezmlm
Organization: Software Press
References: <958377EACE23D311ADEF00008317246D05450EC7@nlams34.nl.deloitte.com>

They don't mind manually entering IP addresses in router
tables, but they do mind manually entering IP addresses on
Proxy Servers. They do want SSL traffic over a Private
network but they don't want to secure the DNS service.

The real risk is that someone pulls an inside job. The
weakest links are the ones that connect the chairs to the
keyboards.

Albert

> "van Eijk, Peter (NL - Diemen)" wrote:
> 
> Thanks for your comments.
> I'l give you a little more background info.
> 
> We are talking about 5 to 8 organisations, each with 2000
> to 10.000
> client stations, all behind firewall.
> Using the Internet for links between organisations is
> politically
> unacceptable.
> DNS is a must because of the network management issues.
> Nobody wants to
> have hardcoded IP adresses in their clients and servers,
> and especially
> not if they are somebody else's IP adresses.
> You might isolate things into a proxy, but the proxy may
> well have to
> interface to a number of these extranets, that only
> overlap a little.
> It'll be a complicated proxy setting, if you ever get it
> debugged.
> 
> The principle that seems to be relevant here is that it is
> to be avoided
> very much that a configuration change involves coordinated
> action
> between two (let alone more) parties. Case in point: on
> some link
> between these organisations illegal IP adresses are being
> used that are
> a historic legacy. Both organisations have manually edited
> router
> tables, and one of them actually needs a NAT box for this
> address range.
> Yet, they find it too complicated to coordinate the
> change.
> Actually, my question was more limited: what about the
> risk of a public
> DNS domain server that discloses an internal IP address
> (which is not
> routable from the Internet)?
> 
> Who has ran into similar situations?
> >
> > Hi
> > This forum may or may not be the place to ask this
> question,
> > but it appears
> > to me that you might be in a position to point me to
> > additional resources.
> > My question is outlined below.
> >
> > In extranet situations it is desirable to access servers
> from one
> > organisation with clients from another organisation. The
> 
> []
> >
> > My current questions are: what are the real risks? and
> how would a
> > security auditor judge a setup as outlined above?
> >
> 
> This e-mail message and its attachments are subject to the
> disclaimer published at the following website of Deloitte
> & Touche :
> http://www.deloitte.nl/index.asp?Pageid=010109135051734

==========================================================================
To manage your subscription, mailto:dist-obj-help@distributedcoalition.org 
Archives, FAQ, etc.     http://www.distributedcoalition.org/mailing_lists/

References:
- RE: [dist-obj] Extranet security
  - From: "van Eijk, Peter (NL - Diemen)"

Prev by Date: RE: [dist-obj] Extranet security
Next by Date: Re: [dist-obj] Extranet security
Prev by thread: Re: [dist-obj] Extranet security
Next by thread: [dist-obj] FW: Python to bake-in XML-RPC support
Index(es):
- Date
- Thread