Thanks for your reply mouss and ben.
>here I'll second ben and confess that I don't understand the meaning of
your original message.
>what exactly do you want to achieve?
>do you want people in the public network to access resources in your
internal server?
I would like to clarify this further. The intent is to allow users on the
internet to access the internal server in the most
secure manner.The security people believe by having such a configuration
the proxy and the internal server and the firewall not allowing incoming
connections), they can put the internal server on the net with maximum
security (though with maximum trouble to me, the developer :).
I will have to implement a pool of open connections on the Proxy server
,which would have originated from the internal server, and then have to do a
lot of custom code to do this. That's the reason, I was asking if some other
product has implemented such a solution or if somebody else can suggest
another configuration which would achieve the same security.
Thanks for your input,
Sumeet
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of mouss
Sent: Monday, August 21, 2000 11:42 AM
To: Sumeet Vij; Ben Nagy; [EMAIL PROTECTED]
Subject: RE: How do I do a reverse Invoke
At 10:36 21/08/00 -0400, Sumeet Vij wrote:
>Ben,
> What I meant was the proxy server in the DMZ can't open a
> connection to the
>real server inside the firewall. It can only write on a connection that was
>pre-opened by the server inside the firewall.
> The security people seem to think that by not allowing new
> connections to
>come in through the Proxy server, the real server inside the firewall
would
>be safe even if the proxy server is compromised. I am not sure how
>convincing the argument is. Please let me know if their assumption is
sound.
their assumption is sound and reasonable. unless you find a secure way or
you
"accept" the risk, you'd better reject "incoming" connections.
Also, you don't want to have the same level of severity on both hosts, and
if you
allow the dmz host to get to the internl host, then you should be as severe
on the
DMZ as you are for internal hosts, but then you don't need a DMZ!
>Again, if you know of some products/implementations of this, please let me
here I'll second ben and confess that I don't understand the meaning of
your original message.
what exactly do you want to achieve?
do you want people in the public network to access resources in your
internal server?
if so, then copy the files you want to make available on the DMZ server.
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
