Thanks,Jakob, for the suggestion. Yes, it's a fortress and we like/need it that way (sensitive data, high bandwidth site, student environment - you get the idea). We thought of the strategy you describe but it means opening an inbound port through the tiers so tier 3 IM can receive the map status from tiers 1 and 2. Inbound ports are verboten. Inside traffic can get out through outbound ports.
Opening the connection from the inside is fine, except that the data coming in in response can be spoofed or corrupted. In the IM scenario this is definitely paranoia running wild (fake IM maps?), but the design and policy is intended to block ALL unauthorised traffic (student records, payroll info etc.).
Subject: Re: Monitoring multi-tiered network? From: "Jakob Peterh�nsel" <[EMAIL PROTECTED]> Date: Thu, 6 Mar 2003 22:22:56 +0100
Hi Mike.
Sounds like one hell of a fortress to me, and I think you're locking yourself down more than needed. What is it that keeps you from allowing traffic from the inside to get through? I can't see the security issue in that one! As long as the connection is opened from the inside (pier 2 or 3), I can't see the problems.
I would set it up this way:
Pier 1: IM Daemon/Server, monitoring local pier, allows Remote connection from known IP[range]. Pier 2: Just like pier 1 Pier 3: Serves local map of pier 3, and one 'global' map with status for the two others [Probe: Map Status].
Remote can also show Pier 1 & 2 maps, if needed.
Hope it helps. ...
Jakob Peterh�nsel
Cheers! -- -- Mike Dustan, Computing Operations & Tech. Support, Simon Fraser University, Burnaby, BC Canada. Web: http://www.sfu.ca/ots/
I'm never wrong. I thought I was wrong once, but I was wrong.
____________________________________________________________________ List archives: http://www.mail-archive.com/intermapper-talk%40list.dartware.com/ To unsubscribe: send email to: [EMAIL PROTECTED]
