On Thu, 6 Dec 2007, Damien Hull wrote:
> I'm at the coffee shop trying to access my data back at the home office.
> I have access to my DMZ. Most of the time that's all I need access to.
> Today is a little different. I'm missing a few files on my test server.
> I need to access my data storage server in the internal network.
>
> I could do one of the following.
>
> * Allow ssh into the privet network
> o green interface on IPCop
> * Setup a VPN
> o Doesn't give me ssh access
> o I would only be able to grab data on the shared directory
>
> I'm sure there are other options. I'm looking for suggestions. Any ideas?
>
> Oh, I'll be leaving town next week. I would like to have something
> configured before then. I will need access while I'm away.
Allow ssh into the DMZ to a bastion host, then allow ssh from only that
bastion host from the DMZ into your private network. The VPN idea isn't bad
as well, depending on how you implement it, but ssh'ing reduces the size of
the aperture into the network. If you're running your own CA with client
authentication via certs that might not be that big a deal, though.
In general, you should never let any given connection traverse multiple
security zones in one fell swoop.
--Arthur Corliss
Live Free or Die
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Dec 6 13:02:09 2007
This archive was generated by hypermail 2.1.8 : Thu Dec 06 2007 - 13:02:09 AKST