Question

Locked

IIS Mirror Solution - odd security requirements

By dave the IT guy ·
I am looking to share an intranet application in an Extranet fashion to a specific external company that does sub-contract work for us. The problem is that the security requirements for this external site are extreme - because part of the production takes place within a correctional facility. So Internet access is strictly forbidden. This external sub contractor does have a small office outside the correctional facility that does have Internet access. I was thinking to maybe somehow set up a mirror that would pull data from a public facing Extranet site - but don't know what the best way to proceed is. The intranet site has ties to an Oracle-based ERP system that needs to be accessed within the correctional facility - without a WAN link.

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Clarification

by robo_dev In reply to IIS Mirror Solution - odd ...

so the site mirror could reside on the contractor's 'small office' and be accessed from their PC 'in the big house'??

So the prisonPC has some sort of private data circuit to the contractor's 'small office'??

Collapse -

yes

by dave the IT guy In reply to Clarification

There is a data link between the small office and the production facility inside the prison.

Collapse -

How do they determine that there is no Internet access?

by robo_dev In reply to yes

Because their prisonPC connection will look a lot like it's going to the Internet if it can get to a site that's mirrored offsite.

The simplest way to do it would be through router ACLs and/or a proxy at the remote office. If the ONLY IP address that the prisonPC can access is your Extranet server (via the little office), would that be allowable?

If yours was a simple non-database-driven web app, you could just mirror it at the little office, but most web sites are too complex for that.

Collapse -

DNS is the control

by dave the IT guy In reply to How do they determine tha ...

The systems inside the prison are controlled by the IT department in the prison and the network they are on has no access to the public DNS system - it is entirely internal.

Collapse -

DNS is the wrong answer

by ron In reply to DNS is the control

DNS is not the way to implement security. If all you're doing is removing a DNS entry then how can that stop an inmate from directly entering an IP address?

Instead, disable routing on the server. The server should only be offering managed proxied services.

Back to Software Forum
6 total posts (Page 1 of 1)  

Software Forums