With right guidelines, servers can survive outside of firewalls
Good security practices make life outside the firewall less scary than you might think.
Government network administrators often get requests from their application developers
to locate servers outside the enterprise firewall. The routine answer is no, but
exceptions sometimes must be made.
Why? External machines give employees a workspace to share with outside contractors and
agency partners, while preventing remote workers from penetrating the internal network.
If the server is attacked by a hacker, the firewall is still in place. The compromised
server can't be turned into a launch pad for an internal penetration.
Putting a machine outside your firewall still carries security risks, however. It also
makes life harder for the content managers who perform updates.
Here are some rules to minimize risks and streamline operations for a server outside
SSH is in place, users can transfer files by a single command--similar to the Unix rcp
command--without having to set up an extended FTP session. SSH servers start around $500;
client software costs about $100 per user. Visit http://www.datafellows.com/f-secure/fnetsys.htm
for details on the popular F-Secure SSH Server from Data Fellows of San Jose, Calif.
When a remote user
sends a request, the firewall should give the Web server access only to the database
server--no other internal services. If the external server gets hacked, the only path into
your network leads to the database server, which has its own access controls.
user receives a card that synchronizes the password display with the server. To gain
access, the user must know the password of the minute, which can be known only through the
SDSI scans for well-known attack signatures from Internet connections, dial-in users
and internal users. Details appear at http://www.internettools.com.
None of these products by itself can guarantee safety. As a group, they create a fairly
secure shared workspace outside the firewall. The need for such workspaces will rise in
the months ahead, so it's worth learning how to protect your server before you install it.
Shawn P. McCarthy is a computer journalist, webmaster and Internet programmer for
Cahners Publishing Co. E-mail him at[email protected].