Digital certificates vs. demilitarized zone
Results 1 to 5 of 5

Thread: Digital certificates vs. demilitarized zone

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    472

    Digital certificates vs. demilitarized zone

    I have an intranet application, and now I want to let external users have access to it. Their task is to insert data into my application, not fetch any data. My server is hidden behind a firewall, and it's not yet accessible from the internet. The administration is concerned with security issues, so I have to create a secure environment.

    Now, I have two possible solutions:
    1. I can use digital certificates to authenticate the external users. It might seem like a huge job to provide everyone with a digital certificate, but that's ok. Also, I can set the firewall to only accept connections from a range of IP-addresses, as the external users have static IP's and won't be using the service from any other place than that.

    2. I can put a server on the outside of the firewall (demilitarized zone), and create an application that will recieve a post from the external users and transport data thorugh the firewall and into my intranet application. Unauthorized users who post me data they're not supposed to won't be a problem, since I'm able to remove data that's not supposed to be inserted into the intranet application.

    It seems both solutions will do, but I think no 1 is the better because digital certificates should be safe, and will remove the overhead of the extra server. And digital sertificates is kinda hot these days, so it's gonna make me look good

    Anyway, has anyone got oppinions?
    ---
    proactive
    Share on Google+

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    157

    Post just a thought

    Just an idea: Why not do both?

    I'm always in favor of separating front-end processes from back-end processes. It's more work but the justification is in the redundancy you will be providing ... should one machine or the other go down you will be back into production sooner and have more time to solve the problem rather than donning your fire-fighter gear

    First, I'd set up the outside machine.
    Then, I'd set up the authentication mechanisms.
    Then, I'd encrypt the data on the pass through and decrypt on the receipt.

    Create a multistage project plan doing one step at a time, but always with the larger goal in mind.


    That's 0.02cents worth.
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-==-=
    Noah built the ark BEFORE it rained.


    http://ld.net/?rn
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-==-=
    Share on Google+

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    472
    niboreon: Of course that would be the best solution. But I don't think I'll have time to do both. I'm not sure it's nessecary either, but for the best security... I agree.
    ---
    proactive
    Share on Google+

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    157

    YASP (time)

    Wholeheartedly, I agree that it's important to weigh the cost, time and goals factors into the equation.

    Q: *HOW* secure does it need to be?


    YASP = Yet Another Spare Time Project

    Time is the enemy we all have to fight! That's why I suggested that you set it up as a multi-stage project plan.

    Set a long term schedule, estimating time and costs and resources.


    You had mentioned:
    And digital sertificates is kinda hot these days, so it's gonna make me look good
    So I assumed it would be new for you to deploy and therefore take longer than launching the 2nd machine. Do whichever option you "already" know and have the resources available to complete and get the users into production asap ... especially if this will generate revenue either indirectly or directly ... make it clear that further enhancements would be forthcoming. This meets production goals and gives you time for "professional growth".
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-==-=
    Noah built the ark BEFORE it rained.


    http://ld.net/?rn
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-==-=
    Share on Google+

  5. #5
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    If you have time - do both. I use both but the beauty is - I get someone else to pay!
    Trappedagainbyperfectlogic.
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •