Hi Susan :)
Tracy and Ray gave the technical answers :) I would like to cover a
side aspect of your question... Security .... (I heard those groans all of
you :) hehehe)
Even if this is doable ... you don't want to allow a whole range of
IP's into your box... IP spoofing is one thing that comes to mind... other
thing is that a machine in that range may get infected (Think Welchia) or
become a 'zombie' for someone... and it would have a right to come into
your box ...
I am going to do the bad thing and 'assume' that your external perimeter
firewall will be configured to allow only certain traffic to pass inbound
and outbound and that inbound traffic will only be allowed from certain
IP's to route to your 3k or any destination within your infrastructure.
Remember, there is a reason we call the external facing regions of our
network topographies 'DMZs'... A good friend of mine who is a network
engineer in civilian life and a groundpounder in the military likes to
refer to his DMZ's as his "kill zones" <eg>
Finally, if you have to here is an idea that should be able to work
with this client:
1. Build a FTP/EDI box in the "DMZ"
1.a. Put Intrusion Detection System (IDS) on this box
1.b. Set up the IDS to properly alert you should anything "unusual"
happen on the FTP/IDS box
1.c. Investigate Managed Service Providers such as Counterpane for
helping you with montioring IDS
1.d. Set up PKI based keys for you and your client
1.e. Exchange PKI keys with your client
2. Create a job inside your perimeter that takes the datafile and encrypts
it.
3. Create a job that moves the encrypted data to the FTP/EDI box
4. Your client logs into the FTP/EDI box and gets the file
5. Your Client decrypts the data using their half of the PKI keys you both
have exchanged :)
6. You Create a job that documents into logs (somewhere) that the client
logged in and got the file.
7. Document this whole process and put it in your Data Center SOP's
8. Be ready to show the documentation to the Auditors (who should actually
like this answer )
9. Get a large bottle of a 12 year old (or older) "adult beverage" and keep
it handy... you unfortunately are gonna need it when doing this type of
'stuff' hehehe
Note that a lot of this could actually be set up on your 3k... see archives
for posts on using PGP on 3k's.
Having FTP pickups and deliveries occur in a true DMZ on a separate box
from the boxes holding your production data is much safer and saner than
having outsiders on your production based boxes.
Would you have someone come into your data center to pick up a tape? No,
you send the tape up to the front desk, tell the receptionist who can pick
up the tape and the receptionist asks for ID when the client picks up the
tape. Also, if the ID isn't of the person(s) you said could pick up the
tape the receptioinist should call you and ask for new instructions (human
factor - computer would just deny the request and log the denial.)
Art "taking security hat off now :) " Bahrs
=======================================================
Art Bahrs, CISSP Information Security The Regence Group
(503) 225-4992 Cell 971-244-2459 FAX (503)
220-3806
"Susan Roden"
<susan.roden@I
PAPER.COM> To
Sent by: [log in to unmask]
"HP-3000 cc
Systems
Discussion" Subject
<HP3000-L@RAVE [HP3000-L] NMMGR - adding a host
N.UTC.EDU> without a set IP (uses DHCP)
01/24/2007
05:49 AM
Please respond
to
"Susan Roden"
<susan.roden@I
PAPER.COM>
|------------|
| [ ] Secure |
| E-mail |
|------------|
I have a customer (CSX) that I need to be able to connect from my HP3000
to their system using FTP. I want to add them to my NMMGR configuration
but they don't have a set IP address for their box it's a range of IP
numbers
that can be used.
Does anyone know how to do this?
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
***IMPORTANT NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature.***
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|
