Hi Steffen,
I guess I should have said it more clearly that this box will be used to develop web applications and we therefore won't be able to detach the box from the internet but it will for sure be inside the DMZ.
But after all, it's possible to develop web applications without direct internet access, and you should. Otherwise you never know if the sources are unchanged. And if somebody builds in a backdoor in your payment module - good night... Better care and use a second webserver in the devel-net.
But maybe you don't need a secure development environment, maybe we understand different things with this term.
Thanks for your answer Steffen. Guess I didn't express what we want to do. And for sure we have different understandings of the term "secure development environment". Here is what we want to do with the box: Have CVS up and running for version management (primary purpose) A group of people will be notified about any commits and can transfer the code after reviewing to a qa box. Since we will start a "case study" about tele-working the CVS repository should be reachable from the "outside world" as well from within our network. Therefore I thought using SSH for connecting to the box might be a good idea. Later we will have IBM Websphere and a DB2 Database running on the machine. So all in all it is more a Webserver but I will still try to make it as secure as possible. Which is as I understand a big compromise in terms of convenience. Sorry for the confusion I might have caused by not expressing clearly what I mean. Cheers, Andreas -- Andreas Otto OgilvyInteractive | Floor 2, Canberra House 315 - 317 Regent Street | London W1B 2HS Reception +44 207 299 3434 | Fax +44 207 631 5050 http://www.ogilvy.com
* Andreas Otto wrote on Tue, Feb 13, 2001 at 09:34 +0000:
Guess I didn't express what we want to do. And for sure we have different understandings of the term "secure development environment".
I see. You don't want to develop security-certified software but have a secure workplace.
Here is what we want to do with the box:
Since we will start a "case study" about tele-working the CVS repository should be reachable from the "outside world" as well from within our network. Therefore I thought using SSH for connecting to the box might be a good idea.
Yep, SSH or VPN.
Later we will have IBM Websphere and a DB2 Database running on the machine.
Probably the DB get's connected by localhost only? That's good for firewalling, just block it :)
So all in all it is more a Webserver but I will still try to make it as secure as possible. Which is as I understand a big compromise in terms of convenience.
I would never recommend to use such a machine as CVS Server, if your sources are important. You have to thing with the possibility of a root compromize of this box if you offer a lot of public services. Webserver or CGI or whatever may have bugs, and SSH and all the code. I would suggest to use two hosts: on secured for development and one public accessible for demonstrations (or whatever). The developer could use a webserver only accessible by localhost (but it's slow to use a browser via SSH X11 Forwarding :)). Maybe you could r/o export a directory via NFS to the Webserver or similar. Of course you should block as much as possible by the firewall in front of the servers. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (2)
-
Andreas Otto
-
Steffen Dettmer