> I know that and I agree with you.  I don't get it.  They are 
> just worried
> that someone is going to hijack that port and bring their 
> company to it's
> knees.  It's a large utility in Texas that is wanting this.

If they don't know enough to do the work themselves and need to hire a
security consultant (you) to do it for them, shouldn't they listen to your
recommendations instead of coming up with their own ideas about something
they know little about?  

Of course, I know how some customers can be, and if they're paying you the
cash, do it however they want it done, as long as you don't have to support
it once it's implemented.  :)

Jay

> -----Original Message-----
> From: Jason Sowers [mailto:jsowers at osii.com]
> Sent: Monday, March 19, 2001 9:26 PM
> To: tclug-list at mn-linux.org
> Subject: RE: [TCLUG] Port switching
> 
> 
> I know that and I agree with you.  I don't get it.  They are 
> just worried
> that someone is going to hijack that port and bring their 
> company to it's
> knees.  It's a large utility in Texas that is wanting this.
> 
> -----Original Message-----
> From: tclug-list-admin at mn-linux.org
> [mailto:tclug-list-admin at mn-linux.org]On Behalf Of Austad, Jay
> Sent: Monday, March 19, 2001 4:46 PM
> To: 'tclug-list at mn-linux.org'
> Subject: RE: [TCLUG] Port switching
> 
> 
> > security freak.  They don't want that port open all the way to their
> > corporate network.
> 
> You mean from the outside world?
> 
> as long as you only have something like:
> static (inside,dmz) <virtual ip of db server on dmz> <real ip 
> of db server
> on inside>
> conduit permit tcp host <virtual ip of db on dmz> eq 80 host <ip of
> webserver on dmz>
> 
> Only the webserver on the dmz will be able to get in to the db server.
> Someone would have to compromise the webserver to get in to 
> the db server,
> and they would still really not have an easy time 
> compromising the db server
> since they will only have access to it on port 80 (or 
> whatever port you open
> for it).  They'll still have access to the data on it though, 
> but no matter
> what setup you choose, if someone compromises the webserver 
> they will always
> have access to the db since the webserver must be able to 
> talk to the db.
> 
> Jay
> 
> 
> 
> > -----Original Message-----
> > From: Jason Sowers [mailto:jsowers at osii.com]
> > Sent: Monday, March 19, 2001 3:57 PM
> > To: tclug-list at mn-linux.org
> > Subject: RE: [TCLUG] Port switching
> >
> >
> > Well, that is naturally how I would do it.  This customer,
> > however, is a
> > security freak.  They don't want that port open all the way to their
> > corporate network.  I actually am supposed to have two DMZ's
> > back to back
> > and be switching ports going through each one.  It doesn't
> > make all that
> > much sense to me but I have to do what the customer wants.
> >
> > Thanks all for your input.
> >
> > -----Original Message-----
> > From: tclug-list-admin at mn-linux.org
> > [mailto:tclug-list-admin at mn-linux.org]On Behalf Of Austad, Jay
> > Sent: Monday, March 19, 2001 3:31 PM
> > To: 'tclug-list at mn-linux.org'
> > Subject: RE: [TCLUG] Port switching
> >
> >
> > Why can't you just make a conduit (I assume you're using a
> > pix since you
> > mentioned cisco) to port 80 on the internal machine and only
> > allow access
> > from the outside (dmz) one?  Then you don't need to to change
> > around the
> > ports.
> >
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Jason Sowers [mailto:jsowers at osii.com]
> > > Sent: Monday, March 19, 2001 1:51 PM
> > > To: tclug-list at mn-linux.org
> > > Subject: [TCLUG] Port switching
> > >
> > >
> > > Does anyone know if there is hardware/software out there that
> > > will allow me
> > > to switch TCP/UDP ports of communication as it traverses 
> a DMZ?  For
> > > example, if you have a web server that is outside of you
> > > network that is
> > > getting information from a DB server on the inside of your
> > > network, is there
> > > anyway to switch the packet from port 80 to port 5000 as it
> > > crosses the DMZ?
> > > Maybe Linux can do it or some package on Linux.  I can't find
> > > anything that
> > > will do it.  Cisco can't so I don't know really where to go.  Any
> > > input/leads would be great.
> > >
> > > Thanks
> > >
> > > Jason Sowers
> > >
> > > _______________________________________________
> > > tclug-list mailing list
> > > tclug-list at mn-linux.org
> > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > >
> > _______________________________________________
> > tclug-list mailing list
> > tclug-list at mn-linux.org
> > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> >
> > _______________________________________________
> > tclug-list mailing list
> > tclug-list at mn-linux.org
> > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> >
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> 
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>