Ok, so my company is standing up a website for a customer. The server is in a managed hosting facility.
We have a system here in our office that has to do somesome backend processing on data for the site. We manage the site from here on a pair of Linux boxen via ssl, and data is regularly posted from here to the site db over an ssl tunnel. Beyond that the computer here just needs to receive email, send email, and work with an outside FTP site.
Now for reasons that are to convoluted & bizarre to even go into here, this system needs to come off the corporate network. The bandwidth requirements are pretty modest, so we are planning to get a simple DSL line to keep on keeping on. Of course, we need a firewall on this.
Here's the rub. Corporate comm won't let us get the DSL line unless we have a firewall managed by our IT organization on it. But our IT organization is claiming that they don't have the manpower to support this. That it's going to take several hours a day every day to protect this connection, configuring, reviewing logs, etc..
I really want to raise the BS flag on this, but don't know enough about network security to do it. I'm thinking we put a decent hardware firewall on the line. Configure it once ... lock down everything incoming except email. And actually, that can be locked down to about 4 IPs. Maybe open up an incoming SSL connection to a few IPs. Set up an ipsec firewall on the linux boxen as well, turn off everything we don't need, keep up2date up to date, and we're good.
Am I hopelessly naive about network security, or are our IT guys just trying to play us for more manpower?
We have a system here in our office that has to do somesome backend processing on data for the site. We manage the site from here on a pair of Linux boxen via ssl, and data is regularly posted from here to the site db over an ssl tunnel. Beyond that the computer here just needs to receive email, send email, and work with an outside FTP site.
Now for reasons that are to convoluted & bizarre to even go into here, this system needs to come off the corporate network. The bandwidth requirements are pretty modest, so we are planning to get a simple DSL line to keep on keeping on. Of course, we need a firewall on this.
Here's the rub. Corporate comm won't let us get the DSL line unless we have a firewall managed by our IT organization on it. But our IT organization is claiming that they don't have the manpower to support this. That it's going to take several hours a day every day to protect this connection, configuring, reviewing logs, etc..
I really want to raise the BS flag on this, but don't know enough about network security to do it. I'm thinking we put a decent hardware firewall on the line. Configure it once ... lock down everything incoming except email. And actually, that can be locked down to about 4 IPs. Maybe open up an incoming SSL connection to a few IPs. Set up an ipsec firewall on the linux boxen as well, turn off everything we don't need, keep up2date up to date, and we're good.
Am I hopelessly naive about network security, or are our IT guys just trying to play us for more manpower?
