Hi Sumeet
I don't get the logic of your 'security guys'. The connections we're talking
about are, in effect, inbound. There's people on the Internet who need
information from an internal host. The session establishment is inbound
traffic and nothing's going to change that. For your application to work in
the same way as it would if you'd contact the internal server from the DMZ
machine but without inbound connection establishment, the internal server
would need to know when it needs to connect to the DMZ machine. Now, unless
you've got parapsychically gifted machines or a second connection between
them (which you do *not* want to have for security reasons), there's no way
the internal server can have that knowledge. Which means it'll have to have
an open connection to DMZ server all the time. Ask your security folks where
the gain is in that solution! I say you control the internal server, you can
and should lock it down and harden it as tight as possible, implement
filtering on it, maybe even IPSec to authenticate the DMZ server, put the
thing on a physically separate LAN if need be. Then configure the firewall /
packet filter to allow connections originating on the DMZ machine and bound
for a specific port on the internal machine only. I don't see why this
should be less safe than their solution.
Regards
Tobias
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
