[thelist] server to server connection

Eduardo Kienetz eduardok at gmail.com
Thu Feb 26 23:06:52 CST 2009

On Fri, Feb 27, 2009 at 1:05 AM, Ken Schaefer <Ken at adopenstatic.com> wrote:
>> Where exactly do you see huge security risks?
> Rarely are boxes in DMZes allowed to reach into an internal network. Even then, it would have to be restricted to a particular service.

He said he only needs to access files, so that's the restricted service.

> Here we seem to be talking about a public box that has a full VPN into the internal network - not even something reverse proxied via a DMZ. That allows someone who has access to the public box pretty much unfettered opportunities to the internal network.

Not if he has proper firewall rules on both ends, as I mentioned.

> I'd struggle to see this type of service flying in many organisations that I work with. Something where the connection is initiated on the internal network and reaches out to the DMZ or the public box is far more common.

I can see how this can put fear into people, but it can be done with
risks greatly minimized.
I'm not saying there aren't better solutions either ;)

Eduardo Bacchi Kienetz

More information about the thelist mailing list