Greetings all.
I have a question that has been asked by many, but the answers always seems to avoid addressing the scenario fully. I know what I am asking has been done because I was a road warrior for two other firms (connect over the internet) and I had the Green Dot on my SEP Client systray icon, eventhough I was not connected via VPN and I was on the airport wi-fi, coffee shop (insert your favorite brand here) wifi, etc.
What I haven't been able to determine, is what was done in order to acheive this level of manageablilty but in a secure fashion.
Considering compliance restrictions and the need for maintaining a secure link, it is my understanding that requests/connection must terminate in the DMZ. It is also my understanding that having a direct link from the outside through the firewalls to the inside is not good practice.
--So, does NAT from DMZ to internal SEPM meet this requirement? Isn't this essentially creating an undesireable direct link to the internal network from the outside?
--Also, I thought that perhaps there is a SEPM in DMZ (same site but with DB inside LAN), but reading that authentication/communication between SEPM and DB is clear txt, leads me to think that this is not the actual config.
I know that many of you are thinking that what is being done is to install a second SEPM site(with local DB instance) in DMZ as replication partner, and I know this is a realistic and viable option, but I also know that this is not what they were doing in thes firms.
What am I missing? Have one of you seen or been in a similar configuration?
I'm at a new company where I'm not the road warrior, but rather the IT Sec guy, and I want to acheive the same level of managability without weakening the security posture. We have a large road warrior population. The concern isn't about updates and policy update, it is about logs, notifications, reporting, and I want to know a system is compromised before it comes back home.
Thanks in advance for your feedback. Feel free to ask any followup/clarification questions.