Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1997

NFR Wizards Archive: Any Holes?

Any Holes?

Giesinger, Nick HE0 (ngiesinghealth.gov.sk.ca)
Thu, 18 Sep 1997 13:40:26 -0600

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: GEIS: "Firewall Management"
Previous message: Jim Leo: "Re: hitting the "on" switch"
Next in thread: GEIS: "RE: Any Holes?"
Maybe reply: GEIS: "RE: Any Holes?"

We have a security requirement to allow third parties to access data.
The firewall that we originally obtained was act as a proxy server. It
is now being asked to perform this connection.

The firewall has three network cards, Internal, external and dmz.
Access will not be allowed from external to internal directly. The
firewall has a bank of IP assigned to the external card when a specific
ip (ie: 100.1.1.1) accessed at a specific port (ie: 4000) the external
card maps to a different ip ie:(10.2.2.2) and port (ie: 4100) to the
dmz. On the dmz, the web server will require a logon and password. It
also requires a x.509 certificate. The certificate authority resides in
the dmz as well. Once a connect has been established the webserver,
through asp pages, proxies to the firewall at a different ip (ie:
10.2.2.254) and port (ie: 5000) to which the firewall maps to yet
another ip (ie: 10.10.2.2) and port (ie: 5001) which is the internal
network. The internal database server verifies the poxied request
spawned by the dmz web server and depending on the proxy acc't access
rights grants the varring database access. The connection between the
dmz web server and internal database is through the database propriety
encryption/connection supplied with the db which runs only over ip.

The web server is IIS3.0, the CA is WebCA 1.01, both using NT 4.0 and
various patches/hot fixes. The firewall is Borderware 4.1 with patches.
The database is MS SQL 6.5

NT 4.0 has no generic acc'ts (except the proxy accounts but these reside
on the internal system not the dmz) and no anonymous logins. No routing
between nic's. The web pages reside on a different physical drive then
OS. Permissions are only granted to the web drive. Administror has
access to all. The files system is NTFS. IIS3.0 allows clear text
login, with x.509 this should be sufficient. ASP pages are the main
source of request/retrieveals.

We do not have total control over the client computer, but it does
require a x.509 certificate and user name login.

What have I forgotten?

Nick G.

Next message: GEIS: "Firewall Management"
Previous message: Jim Leo: "Re: hitting the "on" switch"
Next in thread: GEIS: "RE: Any Holes?"
Maybe reply: GEIS: "RE: Any Holes?"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:08:57 CDT