11/28/2024 8:27:18 PM
|
|
slxdeveloper.com Community Forums |
|
|
|
The Forums on slxdeveloper.com are now retired. The forum archive will remain available for the time being. Thank you for your participation on slxdeveloper.com!
Forum to discuss networking and miscelleanous technical topics. View the code of conduct for posting guidelines.
|
|
|
|
Is external web access really secure?
Posted: 18 Jun 07 10:28 PM
|
In SLX 7.0, 7.0.1, & 7.2 (maybe other versions) the recommended configuration for external access to the SLX Web Host Server is to put both the Web server and SLX on the corporate LAN, maybe even on the same computer. Once this is done, the Web client is open to the Internet through port 80 or preferable port 443. By opening port 80 and/or 443 to the Internet, doesn't this open a big security hole? If someone figures out a new way to hack IIS (is it really secure?), then they would basically OWN the web host server!
It seems reasonable then to put the SLX Web Host in the DMZ. But to make it work with SLX, you need to open 1706, 1707, 1433, 1434?, 135, 445, 138 between the DMZ and the LAN. And that's a bigger firewall hole than just putting the whole SLX thing on the LAN and opening up www.
Isn't this whole Web Host Server a pretty big security risk? |
|
|
|
Re: Is external web access really secure?
Posted: 19 Jun 07 3:54 AM
|
Yep, welcome to the world of security/web. ANYTHING that exposes the www to your corporate LAN is a security risk. However, your concerns are a little unjustified that - if they could get in via a single port (80/443) and do "anything" then that pretty much relates to anything. The only secure system is one that is not exposed. But, in the main, it's really not as bad as you think - provided you have a decent firewall with stateful packet inspection etc. (i.e. confirms web traffic IS web traffic). |
|
|
|
Re: Is external web access really secure?
Posted: 19 Jun 07 9:52 AM
|
Why do security people recommend DMZ? It is to protect the LAN network, right? Then putting the Internet directly accessible (OK with a stateful inspection firewall) to the LAN seems a bit more risky than putting the SLX Web Host in a DMZ. This reminds me of the best practices by Microsoft for the deployment of Exchange Server. You put a bastion Exchange front end on the Internet (typically in the DMZ) and have the Exchange data store on the LAN. Then you tunnel in with RPC over HTTPS from Outlook or use OWA. It just seems to me that in order to host SalesLogix, one must expose MS SQL and OLEDB for the most of SalesLogix and add in SMB protocols to run the Library and Attachments. And that is a lot of security to give up. |
|
|
|
Re: Is external web access really secure?
Posted: 19 Jun 07 10:03 AM
|
Yes, it is - you have two network cards (or a device with 2 nics) - with the internal nic providing internal traffic to the external nic - with the idea being that nothing can cross from one to the other unless it's allowed e.g. it's a physical split as opposed to software split. It's generally considered that anything in the DMZ is sacrificial. You no longer have to expose SMB anymore (if you mean Web) as it uses pure http traffic now. |
|
|
|
Re: Is external web access really secure?
Posted: 19 Jun 07 9:48 PM
|
I'm not sure what you said in your post. I thank you for replying though.
The fact is, in SalesLogix Web Host, to use library and attachments you must do that through the SMBs -- the file system. So there are open SMB ports (and SQL ports) running from the DMZ to the LAN. And opening those ports up in the DMZ, I believe, is too big a security risk.
By the way, our scenario is a three network firewall device. 1-LAN, 2-DMZ, 3-Internet. |
|
|
|
Re: Is external web access really secure?
Posted: 16 Dec 08 10:25 AM
|
We are in the same situation now. we are about to go slx 7.5 web and making the attachments work seems to be a challenge bcs our webserver will be on DMZ and the security wont open port 138.
Did you ever resolve this problem? how did u make the attachments work?
Thanks Uma |
|
|
|
Re: Is external web access really secure?
Posted: 19 Dec 08 9:33 PM
|
An alternative approach, which seems a lot more secure, is not to open up your SLX web server to the Internet. Instead, serve the SLX web application over the company Intranet and insist that remotes initiate a VPN connection before connecting to it. Many companies already have VPNs in place already - why not just piggy-back on them and avoid the security threat?
Phil |
|
|
|
You can
subscribe to receive a daily forum digest in your
user profile. View the site code
of conduct for posting guidelines.
Forum RSS Feed - Subscribe to the forum RSS feed to keep on top of the latest forum activity!
|
|
|
|
|
|
|
|