Questions

IIS Mirror Solution - odd security requirements

Tags:
+
0 Votes
Locked

IIS Mirror Solution - odd security requirements

dave the IT guy
I am looking to share an intranet application in an Extranet fashion to a specific external company that does sub-contract work for us. The problem is that the security requirements for this external site are extreme - because part of the production takes place within a correctional facility. So Internet access is strictly forbidden. This external sub contractor does have a small office outside the correctional facility that does have Internet access. I was thinking to maybe somehow set up a mirror that would pull data from a public facing Extranet site - but don't know what the best way to proceed is. The intranet site has ties to an Oracle-based ERP system that needs to be accessed within the correctional facility - without a WAN link.
  • +
    0 Votes
    robo_dev

    so the site mirror could reside on the contractor's 'small office' and be accessed from their PC 'in the big house'??

    So the prisonPC has some sort of private data circuit to the contractor's 'small office'??

    +
    0 Votes

    yes

    dave the IT guy

    There is a data link between the small office and the production facility inside the prison.

    +
    0 Votes
    robo_dev

    Because their prisonPC connection will look a lot like it's going to the Internet if it can get to a site that's mirrored offsite.

    The simplest way to do it would be through router ACLs and/or a proxy at the remote office. If the ONLY IP address that the prisonPC can access is your Extranet server (via the little office), would that be allowable?

    If yours was a simple non-database-driven web app, you could just mirror it at the little office, but most web sites are too complex for that.

    +
    0 Votes
    dave the IT guy

    The systems inside the prison are controlled by the IT department in the prison and the network they are on has no access to the public DNS system - it is entirely internal.

    +
    0 Votes
    ron

    DNS is not the way to implement security. If all you're doing is removing a DNS entry then how can that stop an inmate from directly entering an IP address?

    Instead, disable routing on the server. The server should only be offering managed proxied services.

  • +
    0 Votes
    robo_dev

    so the site mirror could reside on the contractor's 'small office' and be accessed from their PC 'in the big house'??

    So the prisonPC has some sort of private data circuit to the contractor's 'small office'??

    +
    0 Votes

    yes

    dave the IT guy

    There is a data link between the small office and the production facility inside the prison.

    +
    0 Votes
    robo_dev

    Because their prisonPC connection will look a lot like it's going to the Internet if it can get to a site that's mirrored offsite.

    The simplest way to do it would be through router ACLs and/or a proxy at the remote office. If the ONLY IP address that the prisonPC can access is your Extranet server (via the little office), would that be allowable?

    If yours was a simple non-database-driven web app, you could just mirror it at the little office, but most web sites are too complex for that.

    +
    0 Votes
    dave the IT guy

    The systems inside the prison are controlled by the IT department in the prison and the network they are on has no access to the public DNS system - it is entirely internal.

    +
    0 Votes
    ron

    DNS is not the way to implement security. If all you're doing is removing a DNS entry then how can that stop an inmate from directly entering an IP address?

    Instead, disable routing on the server. The server should only be offering managed proxied services.