This is a small background on the problem
Our company's software mainly revolves around 2 systems.
We have an corporate internal VB6 Client server application which is our company's "bread and computer" and is used for financials, budgeting and invoicing and administration. I will call this "INT" for reference And we have a customer facing website written in C# which is used by our customers for recieving invoices and running some reports. I will call this "EXT" for reference
We have an external company which is porting "INT" into a web application written in C#. However they claim that it is perfectly safe to have "EXT" and "INT" on the same server exposed on the internet.So at the end of the day we will end up having a single INTERNET portal where customers can log in to see their specific information and employees can log in to do their daily jobs.
However my concern is that if we were to go on their recommendation all that prevents anyone from accessing the corporate internal application is a user name and password provided via Forms authenticationand this web page is accessible to anyone in the world!!!!! ( We dont have any form of NT authentication on the websites just FORMS!!!).
My argument to the management was that "INT" should be on the intranet and not on the internet along with the customer portal. However I could not find any technical articles proving I am correct. Well I am not even sure if I am correct. Please help!!!!!! I need to know if my argument has a validity.
To my argument all I have is there is not a single corporate website I could find on the internet where there is an option for employees to log in and perform their day to day activities like invoicing, operations etc...
rentom,
I would say you have a valid argument. It is more secure to put your intranet on the internal network, and not have it public. You may lack some convenience, as your own people will not have direct access to it from outside of the office, but it's definitely more secure. You can set up a VPN or other way to get into it from the outside, but it does increase the hassle.
Sorry I don't have any links for you, but it's not all that complicated an argument. I'm sure if they're reasonable, you will be able to make your point. I will say, however, that using forms authentication to log into an intranet is pretty common practice, at least from my experience. Use a proper setup, with HTTPS and strong passwords, of course.
-Jeff
Not only should they be on different machines they should not even be in the same segment.
http://www.boran.com/security/webserver_practices.html
http://csrc.nist.gov/nissc/1996/papers/NISSC96/paper020/ncsc1.pdf
http://csrc.nist.gov/
If one machine is running virtual partitions with multiple eithernet cards you may be able to justfy one machine.
What does your Privacy Policy (should be linked to your home web page) say about protecting Personal Private Information?