[TCLUG] Port switching

Mon Mar 19 16:45:45 CST 2001

> security freak.  They don't want that port open all the way to their
> corporate network.

You mean from the outside world?  

as long as you only have something like:
static (inside,dmz) <virtual ip of db server on dmz> <real ip of db server
on inside>
conduit permit tcp host <virtual ip of db on dmz> eq 80 host <ip of
webserver on dmz>

Only the webserver on the dmz will be able to get in to the db server.
Someone would have to compromise the webserver to get in to the db server,
and they would still really not have an easy time compromising the db server
since they will only have access to it on port 80 (or whatever port you open
for it).  They'll still have access to the data on it though, but no matter
what setup you choose, if someone compromises the webserver they will always
have access to the db since the webserver must be able to talk to the db.

Jay

> -----Original Message-----
> From: Jason Sowers [mailto:jsowers at osii.com]
> Sent: Monday, March 19, 2001 3:57 PM
> To: tclug-list at mn-linux.org
> Subject: RE: [TCLUG] Port switching
> 
> 
> Well, that is naturally how I would do it.  This customer, 
> however, is a
> security freak.  They don't want that port open all the way to their
> corporate network.  I actually am supposed to have two DMZ's 
> back to back
> and be switching ports going through each one.  It doesn't 
> make all that
> much sense to me but I have to do what the customer wants.
> 
> Thanks all for your input.
> 
> -----Original Message-----
> From: tclug-list-admin at mn-linux.org
> [mailto:tclug-list-admin at mn-linux.org]On Behalf Of Austad, Jay
> Sent: Monday, March 19, 2001 3:31 PM
> To: 'tclug-list at mn-linux.org'
> Subject: RE: [TCLUG] Port switching
> 
> 
> Why can't you just make a conduit (I assume you're using a 
> pix since you
> mentioned cisco) to port 80 on the internal machine and only 
> allow access
> from the outside (dmz) one?  Then you don't need to to change 
> around the
> ports.
> 
> 
> 
> 
> 
> > -----Original Message-----
> > From: Jason Sowers [mailto:jsowers at osii.com]
> > Sent: Monday, March 19, 2001 1:51 PM
> > To: tclug-list at mn-linux.org
> > Subject: [TCLUG] Port switching
> >
> >
> > Does anyone know if there is hardware/software out there that
> > will allow me
> > to switch TCP/UDP ports of communication as it traverses a DMZ?  For
> > example, if you have a web server that is outside of you
> > network that is
> > getting information from a DB server on the inside of your
> > network, is there
> > anyway to switch the packet from port 80 to port 5000 as it
> > crosses the DMZ?
> > Maybe Linux can do it or some package on Linux.  I can't find
> > anything that
> > will do it.  Cisco can't so I don't know really where to go.  Any
> > input/leads would be great.
> >
> > Thanks
> >
> > Jason Sowers
> >
> > _______________________________________________
> > tclug-list mailing list
> > tclug-list at mn-linux.org
> > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> >
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> 
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> 