Providing internal data or services to external users is a high security risk for your internal network. In order to provide those, incoming exceptions rules have to be defined in the firewall or a complex DMZ structure has to be set up. The implementation always requires an enormous administration effort and your firewall is vulnerable.
What does the German Federal Office for Information Security say about this topic?
“The connection should always be established from the network segment with the higher protection requirement into the network segment with the lower protection requirement.”
“It must be ensured that there is no unauthorized, externally initiated connection set up into the protected network.”
– German Federal Office for Infomation Security
The principle of bestproxy
Cordaware is breaking new ground in IT security by providing a solution that eliminates firewall exception rules for data/service provision while reducing administrative effort.
An additional proxy server is set up in the internal network, a so-called “Hive”. On the other hand there is only one component left in the DMZ, which is another proxy server. The task of the “Hive” is to automatically establish connections to the proxy located in the DMZ. The connections are hoarded in a so-called “Pool”. If someone wants to connect to a server that is located in the protected network, then the client communicates with the proxy in the DMZ first. The proxy takes a free connection from the “Pool” and communicates via this with the “Hive”, all data will be forwarded to the actual destination afterwards.
This means that no connections are established into the internal network, the connections only go in the outside direction. Consequently, no data has to be provided in the DMZ and no exceptions have to be defined in the firewall that allow a connection from the internet or the DMZ to the company network.
At a glance
- Significantly reduced administration and documentation effort
- Increase overall security for yout data and network
Your data remains exclusively in the internal networkOnly outgoing connections from the network segment with the higher protection requirement (internal network)Incoming requests are realised via outgoing connections
- Encrypted communication between “Hive”- and “Pool”-proxy via PSK (= preshared key)
- Available for all common operating systems (e.g. Windows, Linux, FreeBSD, etc.)