Re: [fw-wiz] DMZ and critical data



I typically suggest replicating the required data to a back-end data DMZ
host. If you have to provide access to it, do it in the most secure means
possible. I could see where this would cause some issues if it has to be
updated real-time from the client, but if you approach it (as you seem to
be) with the idea of never allowing untrusted networks connect to trusted
networks, you are on the right track.


On Fri, 7 Jul 2006, Pedro Henrique Morsch Mazzoni wrote:

Hello,

I am doing a project of network security to a friend of mine.
We will do a back-to-back DMZ, with a external and a internat firewall.
In our project, only the web and mail servers stay in DMZ.
But the company wants to access a webbased application from the internet.
The webserver needs access to a file and a database server, but the
data on this server is critical.
My sugestion is to put a webserver in the internal network and
configure a Vpn, but it is not possible for the client.
I don´t want to put the file and database servers on the DMZ, put if I
put it on the internal network the webserver on the DMZ has to access
the server, wich compromises my security.

Any sugestions?

Pedro Mazzoni
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


--
Carric Dooley
COM2:Interactive Media USA

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Unable to join AD domain from DMZ network
    ... > the captured traffic between the server in DMZ to the DC from internal ... >> unless you lock it down to a specific port. ... >>> authentication from DMZ to 2003 AD internal network. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Gurus: server on perimeter vs. corporate advice
    ... But if you put the Sharepoint in the "DMZ", you would need to open various ... ports to allow communication from the DMZ to the Internal network (I think ... When you "open" such ports for a server that resides in the DMZ, ...
    (microsoft.public.security)
  • Re: [fw-wiz] Rationale of the great DMZ
    ... >DMZ and its implied security has changed. ... Network activity wouldn't ... >necessarily begin from the DMZ and be tunneled in to the internal network. ... >Commonly SSL accelerators terminate the SSL end point prior to the ...
    (Firewall-Wizards)
  • Linux, New Corporate Network, Cisco Routers, T1 Ethernet Handoff, DMZ...
    ... I am setting up a network for a company that I am part owner of. ... internet go into my Cisco 2621 router that has 3 10/100Mbs FE interfaces. ... the same switch creating the "sandwich" DMZ setup with the public devices in ... PBX server that uses a straight VoIP connection all the way to our service ...
    (comp.os.linux.networking)
  • New Corporate Network, Cisco Routers, T1 Ethernet Handoff, DMZ...
    ... I am setting up a network for a company that I am part owner of. ... internet go into my Cisco 2621 router that has 3 10/100Mbs FE interfaces. ... the same switch creating the "sandwich" DMZ setup with the public devices in ... PBX server that uses a straight VoIP connection all the way to our service ...
    (comp.security.firewalls)