Sorry if I wasn't clear Richard
The intent is that no session can be initiated from the box in the
DMZ to any address inside the firewall.
Sessions can be initiated from inside the firewall to the the box in
the DMZ, then the DMZ box can reply to those sessions.
I think the idea is that there are no open ports that can be used for
any sort of attack, although I'm no networking guru.
I suppose an enterprising hacker, having compromised the DMZ box,
could circumvent this by having a process sit on, eg the Windows RDP
port, and then attack the connecting RDP program, but there is no
port that can be repeatedly attacked because it is always open.
Steve.
On 24/04/2006, at 9:08 PM, Richard Sims wrote:
On Apr 23, 2006, at 8:54 PM, Steven Harris wrote:
I have a new client with a requirement that a box in the DMZ have no
open ports through the firewall.
"We can do that" I said, and set up the node with
SessionInitiation=serveronly and a defined IP address and port. ...
Steve - That sounds like a contradiction in terms to me.
You can't contact a peer system if there is no port accessibility.
A full exploration of intent and means is needed there before going
on to attempt scheduler execution.
Richard Sims
