Christopher C. Petro wrote:
>
> >Hi,
> >
> >I've got a bit of a puzzle. My company would like to be able to ftp
> >stuff to and from the mainframe from other organizations (banks etc.)
> >They want to do this over the net, the information is rather sensitive
> >so it must be secure.
> >
> >Here's the ideas I've had so far:
> >
> >A) Place a "Store and Forward" FTP server in our DMZ (Don't allow
> >direct connections to the Mainframe). Implement PGP so that files are
> >PGP-Encrypted before it's ftp'd.
> >
> >
> >B) Use some type of LAN-to-LAN tunneling hardware. Place a box at our
> >end... and boxes at the Bank etc. to create a secure tunnel in which
> >files could be transfered. (I'd still use a Store and Forward tunnel)
>
> This option might be a little more expensive, but:
>
> Set you FTP server up on a host with and have it hooked to an
> external scsi box that can talk to two hosts at once. Have your
> internal machine also hooked up to that box. Run NO OTHER SERVICES on
> the FTP machine, and use the most secure FTP server you can find.
>
> While expensive, it's ALMOST an air gap, and as long as you
> aren't leaving sensitive data on in the FTP directory you should be
> OK.
I like this idea.
It could also be used for a web server. Much better than running the
web server in a chroot environment. Have the minimal system all loaded
onto a disk or set of disks. The web server then could be setup with
the absolute minimal software compliment possible. Even ssh isn't
needed. Console login for reboots only. All file maitence could be
done from the internal side machine. You could even setup on the fly
file integrity checking. The main hastle I see is getting the web
server machine's OS to recognize updates to file info by the internal
machine. Some sort of monitering and invalidating of cached copies
would be needed. This could be tricky if the info is something like
an inode or directory that got updated. How to track it down and
invalidate it after it's been copied to an internal OS structure, or
a program's internal data space.
--
| Bryan Andersen | [EMAIL PROTECTED] | http://softail.visi.com |
| Buzzwords are like annoying little flies that deserve to be swatted. |
| -Bryan Andersen |
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
