Re: Prividing Intranet Website Access To External Users

[Rodrigo Blanco <rodrigo.blanco.r () gmail com>]

If you are open to commercial products, I would take a look at Nortel
Networks' Alteon SSL Accelerator or VPN 3050.

These linux-based appliances provide the SSL VPN functionality (incl.
NTLM auth and web SSO with these credentials), but also they can be
used as pure SSL accelerators or IPSec VPN boxes at the same time. The
good thing is that they provide clientless VPN SSL for any service
(not only web sites) thanks to applet-based port forwarding through
the SSL tunnel. And with outstanding performance.

Hope this helps. Regards,


On 31 Mar 2005 03:01:05 -0000, ben.smethurst () orange net
<ben.smethurst () orange net> wrote:
> In-Reply-To: <25E5794BFEA11E4AAA83359BC2D0E28003F5A402 () LDNPSMEU002VEUA INTRANET BARCAPINT COM>
>
> Ideally, I really wouldnt like to be having my company intranet on the
> dmz, or allowing access from the internet to a natted address of an
> internal server
>
> I would probably integrate the ldap/dc as a security server on the
> firewall and have the remote users authenticate against the ldap/dc
> when they hit the firewall and then pass them through to the intranet
> server. You will probably somehow need to let the intranet server know
> that the user has been authenticated by the dc when they connected
> through the firewall, so that the user doesn't have to authenticate a
> second time when they hit the web server. I agree, its slightly less
> transparent than directly browsing to the webserver, but would
> probably be more secure
>
> I think the ssl vpn.. could also be an option,
>
> If you've got checkpoint, you could buy the connectra ssl network
> extender product which will do the this kind of job very well, or you
> could look at the firepass ssl vpn solution.
>
> Regards
> Ben Smethurst
>
> > Received: (qmail 14471 invoked from network); 11 Feb 2005 07:30:
> 03 -0000
> > Received: from outgoing.securityfocus.com (HELO
> outgoing2.securityfocus.com) (205.206.231.26)
> >  by mail.securityfocus.com with SMTP; 11 Feb 2005 07:30:03 -0000
> > Received: from lists.securityfocus.com (lists.securityfocus.com
> [205.206.231.19])
> >       by outgoing2.securityfocus.com (Postfix) with QMQP
> >       id BED9214644B; Thu, 10 Feb 2005 10:31:54 -0700 (MST)
> > Mailing-List: contact security-basics-help () securityfocus com; run by
> ezmlm
> > Precedence: bulk
> > List-Id: <security-basics.list-id.securityfocus.com>
> > List-Post: <mailto:security-basics () securityfocus com>
> > List-Help: <mailto:security-basics-help () securityfocus com>
> > List-Unsubscribe: <mailto:security-basics-
> unsubscribe () securityfocus com>
> > List-Subscribe: <mailto:security-basics-
> subscribe () securityfocus com>
> > Delivered-To: mailing list security-basics () securityfocus com
> > Delivered-To: moderator for security-basics () securityfocus com
> > Received: (qmail 8323 invoked from network); 10 Feb 2005 08:33:36
> -0000
> > content-class: urn:content-classes:message
> > MIME-Version: 1.0
> > Content-Type: text/plain; charset="us-ascii"
> > Content-Transfer-Encoding: quoted-printable
> > X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
> > Subject: RE: Prividing Intranet Website Access To External Users
> > Date: Thu, 10 Feb 2005 08:22:40 -0000
> > Message-ID:
> <25E5794BFEA11E4AAA83359BC2D0E28003F5A402@LDNPSMEU002V
> EUA.INTRANET.BARCAPINT.COM>
> > X-MS-Has-Attach:
> > X-MS-TNEF-Correlator:
> > Thread-Topic: Prividing Intranet Website Access To External Users
> > Thread-Index: AcUPQczM6h6Z+S26RsWekiEdCkdDSgAB9loQ
> > From: <Steve.Cummings () barclayscapital com>
> > To: <gabriel_orozco () mx sumida com>, <rustychiles () gmail com>,
> >       <security-basics () securityfocus com>
> > X-OriginalArrivalTime: 10 Feb 2005 08:22:40.0839 (UTC)
> >    FILETIME=[AFEB4D70:01C50F49]
> >
> > Stronghold from redhat would be a good fit
> >
> > Regards
> >
> > Steve Cummings=20
> > Web Services
> > Barclays Capital
> > > *Direct:   +44 (0) 207 773 4245
> > > * E-Mail: steve.cummings () barclayscapital com
> >
> >
> > -----Original Message-----
> > From: Gabriel Orozco [mailto:gabriel_orozco () mx sumida com]=20
> > Sent: 07 February 2005 19:10
> > To: rusty chiles; security-basics () securityfocus com
> > Subject: Re: Prividing Intranet Website Access To External Users
> >
> >
> > I would install a reverse proxy, like apache, just connect to the
> > internal web server and the firewall filter every other traffic.
> >
> > ----- Original Message -----
> > From: "rusty chiles" <rustychiles () gmail com>
> > To: <security-basics () securityfocus com>
> > Sent: Friday, February 04, 2005 6:16 PM
> > Subject: Prividing Intranet Website Access To External Users
> >
> >
> > > Greetings,
> > >
> > > I'm asking for reccomendations with the following Scenario:
> > >
> > > We have a internal intranet site. Users are authenticated using
> their=20
> > > nt credentials.
> > >
> > > We need to provide the site externally, translate the internal
> links=20
> > > to external links, and still pass their NT credentials to the website.
> > >
> > >  MGMT wants to do this without vpn, or any other 3rd party
> software on
> > > the clients computer.
> > >
> > > The goal here is a single user sign on, so that the end user is=20
> > > presented with the same experience at home as they are at work.
> > >
> > > We WILL use SSL to protect the transportation of the userid and=20
> > > password.
> > >
> > > The web server is IIS on windows2003.
> > >
> > > The web server will be in the DMZ, and only port 443 will be
> allowed=20
> > > from the outside world.
> > >
> > > The problem is that webserver in the dmz will need to have the
> ability
> > > to talk to the domain controller, as well as a sql server.
> > >
> > > I prefer my resources be separated, and never have internal
> servers=20
> > > traverse the dmz, but in this case that is not possible due to a=20
> > > dependency on the website having tight integration with Active=20
> > > directory resources.
> > >
> > > We could put a sql box in the dmz, but a domain controller.......
> I=20
> > > don't feel comfortable doing that. One box in the dmz is
> compromised,=20
> > > then the DC is open to direct attack.
> > >
> > > If the box talks from the dmz to the internal Domain controller,
> we=20
> > > can acl the traffic so that it only talks over limited port numbers;
> =20
> > > however there is still some risk involved. (which we may have to
> > > accept)
> > >
> > > What experience have members of this list had with publishing
> their=20
> > > intranets to the internet in a secure manner.
> > >
> > > What has worked reliably, and still provided solid security.
> > >
> > > I've considered a SSL VPN type portal, ISA Server, and the like
> as=20
> > > well as several forwarding proxies, but am not 100% comfortable
> with=20
> > > any of the solutions I have seen thus far.
> > >
> > > Any reccomendations List members can make will be helpful to us.
> >
> >
> >
> > ----------------------------------------------------------
> --------------
> > For more information about Barclays Capital, please
> > visit our web site at http://www.barcap.com.
> >
> >
> > Internet communications are not secure and therefore the
> Barclays=20
> > Group does not accept legal responsibility for the contents of this=20
> > message.  Although the Barclays Group operates anti-virus
> programmes,=20
> > it does not accept responsibility for any damage whatsoever that
> is=20
> > caused by viruses being passed.  Any views or opinions presented
> are=20
> > solely those of the author and do not necessarily represent those of
> the=20
> > Barclays Group.  Replies to this email may be monitored by the
> Barclays=20
> > Group for operational or business reasons.
> >
> > ----------------------------------------------------------
> --------------
> >
>
> ---------------------------------------------------------------------------
> Earn your MS in Information Security ONLINE
> Organizations worldwide are in need of highly qualified information security
> professionals.  Norwich University is fulfilling this demand with its MS in
> Information Security offered online.  Recognized by the NSA as an
> academically excellent program, NU offers you the opportunity to earn your
> degree without disrupting your home or work life.
>
> http://www.msia.norwich.edu/secfocus_en
> ----------------------------------------------------------------------------

---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security 
professionals.  Norwich University is fulfilling this demand with its MS in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn your 
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------