> This is always a difficult issue to resolve in a fully satisfactory manner. > If you want to use the same authentication database for both the internal > network and for your web applications, you're either going to have to expose > that database to the public network on which your web applications reside, > or host those web applications on the internal network. The first solution > is generally unacceptable, and you're right to point out that, VPN or no, > you'd be creating a giant potential security hole in the case that your > public web application servers get attacked, so at that point you might as > well just host them on the internal network (or, to be accurate, to host > them closer to the internal network - perhaps in a DMZ at the same physical > location, while allowing authentication requests through the firewall).
A setup that I've been considering, though it's a bit complicated, is to have a DMZ and a private network at the colo center. A three-zoned filtering firewall would conrol and limit the allowed traffic between the two sides. Web servers in the DMZ would be dual-homed, with both a public and a private address (actually, this goes back to one of your earlier recommendations, offloading SQL traffic to another NIC in the web servers). The BDC, database servers, and backup servers would reside in the private network. Then a VPN would connect the private network back to the internal network, allowing the BDC to synch. This would compartmentalize the web servers in the DMZ and offer greater security to the private network. Probably not 100% secure, since if the web servers are compromised they have limited access to the private network and the VPN. Since the crux of the authentication issue is realy that the username/password remain the same, I think we could easily convince the customer to let us use CF to authenticate users, if the usernames & passwords were the same. If we used this application-level authentication approach and pulled usernames/passwords from a local database, is there any way to synch the database with an NT user database? In that case, we'd just pull the NT usernames and passwords into a database on the lan and then FTP them up to the remote server. Is this possible? Jim ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm ------------------------------------------------------------------------------ To unsubscribe, send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body or visit the list page at www.houseoffusion.com
