I had an interesting encounter this past week. I was called into a client meeting to discuss final details on implementing an extranet. We already had built out the Web application that was going to be exposed outside the firewall. This application was a portal where members of the board of directors could access the various documents and agendas they needed to fulfill their duties as members of the board.

The purpose of this meeting was to finalize the physical configuration of the extranet, specifically as it related to security and ease of access. We had had several meetings with senior IT staff and the business owners of the board of directors' portal content. Our original recommendation was to make use of the organization's existing SSL Secure Access VPN gateway. This was rejected as being too cumbersome.

I was told access to the portal needed to be as simple as clicking a link and entering a user name and password. Given those requirements, we proposed a couple of solutions that basically consisted of an ISA server or device outside the firewall that would provide a security layer (SSL) and a reverse proxy that would route inbound traffic to the server hosting the portal. The design included other features that serve to enhance the system further against various attacks (DOS, L7, etc.). The design wasn't the most secure system we could have delivered, but it represented a reasonable compromise based on the business rules we were provided–ease of use and reasonably secure.