[cvsnt] Advice on preferred protocol for internet deployment of CVSNT
Luigi D. Sandon
mailbox at sandon.it
Thu Mar 8 09:06:38 GMT 2007
> They have a hosted web server that's reasonably well backed up and on a
> The project sponsor is concerned about theft of his source code, and
I won't host a repository on the same machine acting as a web server, if
concerned about code theft. A web server opens an attack surface - you can
harden the CVS protocol as you like, but if the web server or a web
application is compromised, and the attacker gains access to the file system
with enough privileges, your code could be gone anyway.
>adding a domain controller or joining the server into an existing domain
>have been ruled out for paranoia reasons.
May be correct. Usually is better that machines in perimeter networks (i.e.
DMZs) are not part of a domain in internal networks - many ports have to be
opened in a firewall to make AD work, and a compromised machine may have
access to too many domain resources - anyway they become a bridgehead for
further attacks. Usually they have their own domain, or are configured as
standalone servers. In Windows 2000 and 2003, the domain *is not* a security
boundary. The forest is.
> They also have 3 people who need access to this repository
Given the small number of people needing access, IMHO you don't need a
public machine. I would put the repository on a machine in the company's
internal network and use a VPN to access it. On the Internet side the CVS
protocol used is irrelevant, the VPN itself encrypts the transmission.
More information about the cvsnt