This is where the use of DMZ networks comes into play. Typically, for any host that a firewall permits inbound TCP connections to, a DMZ segment is a good home. To use PIX-speak, you would place the exposed box on a "medium-security" interface so that your internal network(s) on your "high-security" interface can initiate connections to the box (high --> medium), but the box cannot initiate connections in to your internal network (medium --> high). And of course, your "low-security" interface (typically your internet facing interface) can only initiate the connections that you explicitly permit. This creates a safety net where if your DMZ host becomes compromised, it has no access to wreak havoc on your network.
I personally would never trust a software vendor to be honest about the stability or hackability of their product. After all, they are under no liability regarding such things once the product has been sold to you (their only liability is, of course, their reputation.) We treat any system that has internet exposed ports as a threat to our internal systems and require it to exist on the DMZ. Furthermore, before that hardware can return to the internal network, destruction of the O/S is required so that it doesn't bring any destructive payload with it. HTH, Kelly Cobean, CCNP, CCSA, ACSA, MCSE, MCP+I Network Engineer GRC International, Inc., an AT&T company -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brown, M Sent: Tuesday, April 23, 2002 12:00 PM To: [EMAIL PROTECTED] Subject: Security advice - opening ports other than 80 and 443 in the [7:42333] Certain application requires port other than 80 or 443 opened in the firewall for inbound and outbound traffic. The firewall was configured to allow traffic to that specific server ip address. The software vendor argues "that the worst scenario could be that hackers could bring the server down. No other significant would be possible. " Is that true ? How risky is that to my network ? I would like to secure that connection using CA from the company and IPSec. The software vendor argues that is not necessary. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42422&t=42422 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
