[thelist] server to server connection

Ken Schaefer Ken at adOpenStatic.com
Thu Feb 26 22:05:15 CST 2009

-----Original Message-----
From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Eduardo Kienetz
Subject: Re: [thelist] server to server connection

On Thu, Feb 26, 2009 at 10:04 PM, Ken Schaefer <Ken at adopenstatic.com> wrote:
>> Seems like you are replacing the CMS with something "open source" 
>> and "extensible", but which has huge security risks and defies 
>> best practices in quite a few ways. "project behind schedule" 
>> also doesn't sound good either :-(
> Where exactly do you see huge security risks?

Rarely are boxes in DMZes allowed to reach into an internal network. Even then, it would have to be restricted to a particular service.

Here we seem to be talking about a public box that has a full VPN into the internal network - not even something reverse proxied via a DMZ. That allows someone who has access to the public box pretty much unfettered opportunities to the internal network.

I'd struggle to see this type of service flying in many organisations that I work with. Something where the connection is initiated on the internal network and reaches out to the DMZ or the public box is far more common.


More information about the thelist mailing list