--- Alexandros Papadopoulos <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Wednesday 09 October 2002 11:31, Chris Hylen wrote: > > Security Pro's: > > > > A group of my programmers want to have a DSL > connection put in their > > testing area so they can simulate end user experience > across the Internet. > > I have concerns with this and am curious if anyone else > has found a good > > solution to provision their business requirement > without putting the > > network at risk. > > > > I know I haven't gone in to enough detail for an EXACT > solution but > > in general if anyone has any "tips" I'd appreciate it. > Thanks!
It is debatable whether a DSL line (what speed?) will be able to simulate 'user experience' without baselineing the application before testing. Normally the Internet connection is the slowest link in the chain, but testing won't necessarily highlight problems in the application. I would make sure that they have load and performance tested the separate systems components (Web, App, DB, Network) before testing from an Internet/Remote user’s perspective. It is too easy to say 'Oh it's the internet/remote link’, when it may be something else within the system e.g. bad application or database design. Programmers (Gawd bless 'em) are not known for finding faults in their own code. It may be better to use load testing software for average/peak (as per spec) load and performance response. This brings the point that, to test the 'user experience' the testing must be performed on an environment that directly simulates (even though it may be a cut-down version) the production environment. The development environment is not acceptable for this, but the test environment is. The developers should not really be the team that tests in the test environment, they should sign off and test their separate components, package the application, and give to the QA/release team to simulate in the test environment. This then should be a separate network, which does have a separate DSL connection. Or, more likely, be located in the Production location (which will be separated from the Company network) and use the Production internet connection, thereby getting a good understanding of the maximum throughput when the system goes live. Not being aware of the project size or duration, some of my comments may not be applicable, but I would find it hard to justify a special DSL connection into your development network, and it's additional management/administrative overhead/cost, when there is testing software than can simulate an internet connection. If they force the issue (project/time constraints), then you must install a firewall and ensure that it only allows connections IN and OUT FROM specific IP's and ports of the testing machines, harden the box, install an IDS. I would also suggest putting the development network on its own VPN and allow only permitted traffic between development and company networks. If the network is to be separated, but needs a connection to the company network, then use SSH/SFTP to connect the two. But make sure the tests really do prove 'user experience'. Regards James > > Well, you're probably looking at one dedicated box that > does NAT/firewalling > and sits between the DSL and the rest of your network. > All other boxes rely > on this one box to secure them, so there's no pressing > need for > reconfiguration of the internal network. > > If you want to be 100% safe of course, you would > disconnect the clients not > needing internet access and physically connect only a few > boxes to the one > with the DSL line, thus putting a limited part of your > network "at risk". See > how that goes, and then you can make the big step and > allow (regulated) > internet traffic to flow through your entire network. > > - -A > - -- > http://www.andrew.cmu.edu/~apapadop/pub_key.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.0 (GNU/Linux) > > iD8DBQE9pkr5gmAMwQt1gmURAtbqAJ9UVUAuMPLa8Pa6q7DnXOzm9epQbgCeN79F > Y94jHKCEkTMz6S4eAjheiug= > =LXa6 > -----END PGP SIGNATURE----- > __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com