Another consideration is place web servers in DMZ with Network Address Translation. Web server resides in DMZ with only inbound port 80 open to it from external sources. Place your database server Oracle, MS-SQL, access, etc inside your Intranet and open only port need to interact inbound from DMZ; however, all ports outbound from Intranet to DMZ are available. Remove all shared drives from Web servers and secure under recommend policies from SANS and Microsoft. Now you will have a vulnerability, but a controlled vulnerability. IF able to place a IDS between DMZ and Intranet. Sneaker traffic all updates to Web Server. DMZ may have to have DNS later on with a few other add-ons in order to increase sneaker efficiency and backups; however, you have a somewhat secured environment with only the Web servers truly exposed. You can also set it up to accept only specific types of systems depending on your Web Services (Apache, IIS, etc...) Cold Fusion does not have to reside on same box as Web Server and strongly recommend this be a separate box. Have not tried any other placement but the DMZ with this. Could be interesting to put it else where. NIMDA and Code Red hits both IIS and Cold Fusion equally well. Hope this helps?
-----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, November 09, 2001 1:39 PM To: CF-Server Subject: RE: Remote NT Authentication > A while ago I posed the question of how to deal with a > company running their "intranet" (actually, extranet > applications) at a remote datacenter, where their public > web server is running. The question at the time was how to > replicate a database from their internal network to the > remote installation. It was suggested by some that the > best approach was not to replicate the databases at all, > but simply have a single database and run the extranet > applications (all in CF) on the same web servers. What > I'm calling "extranet" applications are really only for > internal company use, but they wish to allow employees > to use the applications from home or while they're on > the road. > > The sticky part, at this point, is authentication. Right > now, the servers are in-house and they use NT authentication > forced by NTFS ACLs on the source directories of the web site. > Very simple. Everyone has just one password on the network. > They'd like to have the same type of authentication even > after the servers are moved. Can this be done? I was thinking > of placing a BDC at the datacenter, but I'm not sure how it > would synch user accounts with their internal domain controllers. > It's been suggested to perhaps run a VPN between the remote > servers and the internal network, but that sounds like it > may be a security hazard, since it essentially puts the web > servers on the internal network. This is always a difficult issue to resolve in a fully satisfactory manner. If you want to use the same authentication database for both the internal network and for your web applications, you're either going to have to expose that database to the public network on which your web applications reside, or host those web applications on the internal network. The first solution is generally unacceptable, and you're right to point out that, VPN or no, you'd be creating a giant potential security hole in the case that your public web application servers get attacked, so at that point you might as well just host them on the internal network (or, to be accurate, to host them closer to the internal network - perhaps in a DMZ at the same physical location, while allowing authentication requests through the firewall). Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm ------------------------------------------------------------------------------ To unsubscribe, send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body or visit the list page at www.houseoffusion.com
