[thelist] server to server connection
Eduardo Kienetz
eduardok at gmail.com
Thu Feb 26 23:06:52 CST 2009
On Fri, Feb 27, 2009 at 1:05 AM, Ken Schaefer <Ken at adopenstatic.com> wrote:
>> Where exactly do you see huge security risks?
>
> Rarely are boxes in DMZes allowed to reach into an internal network. Even then, it would have to be restricted to a particular service.
He said he only needs to access files, so that's the restricted service.
> Here we seem to be talking about a public box that has a full VPN into the internal network - not even something reverse proxied via a DMZ. That allows someone who has access to the public box pretty much unfettered opportunities to the internal network.
Not if he has proper firewall rules on both ends, as I mentioned.
> I'd struggle to see this type of service flying in many organisations that I work with. Something where the connection is initiated on the internal network and reaches out to the DMZ or the public box is far more common.
I can see how this can put fear into people, but it can be done with
risks greatly minimized.
I'm not saying there aren't better solutions either ;)
Eduardo Bacchi Kienetz
More information about the thelist
mailing list