We're researching several different EDI systems and are currently gathering
infrastructure information from the vendors. One area of concern that has
come up is the component placement within the various firewall security
zones (Internal/External/DMZ). Some vendors have an AS2 "listener" within
the DMZ that receives AS2 communications from the trading partners,
validates the data, and forwards it on to the application servers within the
internal network. Other vendors recommend allowing the trading partners to
communicate directly with the application servers on the internal network.
They claim that there is enough security in the application to prevent abuse
of the server/network.

I see three possible configurations -

1) Systems with AS2 communications via a "listener" in the DMZ
2) Systems with AS2 communications via a reverse http proxy in the DMZ
3) Systems with AS2 communications directly to internal servers

I suppose I prefer them in the above order. Several vendors are pretty
insistent that #3 is "good enough" because of their "excellent software" -
I'm inclined to compromise with #2 instead.

I'd appreciate any info anyone can offer on implementing this type of app
(AS2-based EDI). Do I have these configurations ranked appropriately (from
a network security perspective)? Are there configurations I'm not
considering? Is it fair to say that configuration #3 is a "worst-case"
scenario (from a network security perspective)?

Any constructive comments are welcomed and appreciated!

- Paul
firewall-wizards mailing list