[thelist] server to server connection

Ken Schaefer Ken at adOpenStatic.com
Thu Feb 26 23:56:29 CST 2009


-----Original Message-----
From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Eduardo Kienetz
Sent: Friday, 27 February 2009 4:07 PM
Cc: thelist at lists.evolt.org
Subject: Re: [thelist] server to server connection

On Fri, Feb 27, 2009 at 1:05 AM, Ken Schaefer <Ken at adopenstatic.com> wrote:
>>> Where exactly do you see huge security risks?
>>
>> Rarely are boxes in DMZes allowed to reach into an internal network. 
>> Even then, it would have to be restricted to a particular service.
>
> He said he only needs to access files, so that's the restricted service.

Restricted by what?

>> Here we seem to be talking about a public box that has a full VPN into 
>> the internal network - not even something reverse proxied via a DMZ. 
>> That allows someone who has access to the public box pretty much 
>> unfettered opportunities to the internal network.
> 
> Not if he has proper firewall rules on both ends, as I mentioned.

Typically your VPN tunnels through your external security devices. Or are you suggesting that a VPN endpoint would be in the DMZ, and then some kind of route from the VPN endpoint through the internal firewall to the internal corporate server?

I'm just a bit confused where the actual firewall rules are going to be implemented.

Cheers
Ken



More information about the thelist mailing list