Deploying a DMZ Internationally

From: Led Slinger (leds@darkwater.net)
Date: 07/27/01 

From: "Led Slinger" <leds@darkwater.net>
To: security-basics@securityfocus.com
Subject: Deploying a DMZ Internationally
Message-Id: <20010727123839.8845B235FB6@mail.darkwater.net>
Date: Fri, 27 Jul 2001 08:38:39 -0400 (EDT)

The company that I work for is in the process of correcting a very old
and misguided philosophy on Server access. Traditionally they simply
punched holes through the firewall and allowed access to certain
servers (Individual Projects) within the corporate network
infrastructure. It's been a tremendous challenge to get them to
realize how dangerous it is to allow connectivity behind the protection
of the firewall. SADMIN/IIS and Code Red worked very well though.
<grin> The major hurdle right now is that they have built this legacy
infrastructure internationally and so we're looking at two options:

1. Suck it up and deal with the pain of locating boxes in two places:
a U.S. and European based DMZ. There is quite a bit of logistics
involved with moving servers to these DMZs and the warfare that will
surely start the moment you take these servers out of the hands of
those that currently (mis)manage them locally.

2. Someone suggested that we create a 'VLAN DMZ'. I have to admit
that I am not entirely familiar with the risk versus reward of this
one. I understand that this would enable the current sytem
administrators to keep their machines where they are and still somewhat
isolate them from the corporate infrastructure. Something about
carrying this traffic over the corporate backbone still seems a bit odd
to me.

I was hoping that someone might have dealt with a similar situation and
could provide a litle feedback on the risk/rewards of these two
solutions or maybe know of a better solution altogether.

Thanks in Advance!

Leds... 

-- 
There's nothing wrong with Windows until you install it........

Relevant Pages

  • RE: Question about DMZ Domain Member and Virus Membership
    ... test and audit the servers regularly. ... Question about DMZ Domain Member and Virus Membership ... Tailor your education to your own professional goals with degree ... Computer Emergency Response Teams, and Digital Investigations. ...
    (Security-Basics)
  • RE: antivirus software for DMS computers???
    ... Say you're running an Web+FTP server in your DMZ... ... > All of my servers in the DMZ have AV protection. ... > Ethical Hacking at the InfoSec Institute. ... > pen testing experience in our state of the art hacking lab. ...
    (Security-Basics)
  • Re: internal domain credentials to access DMZ resources
    ... Create a new forest in DMZ, and let DMZ forest trust LAN forest 1 way. ... join web, NAS, and SQL servers to DMZ forest ...
    (microsoft.public.windows.server.active_directory)
  • Re: Question about a trust relationship and terminal serices
    ... one on my internal network and one on a dmz. ... >on to servers in dmz.org. ... the int.org Domain Admins are set as members of the ... > Bob Grabbe ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain in ISA2004 dmz
    ... put services that are needed to 'listen' for incoming internet requests ... DMZ trusts Seattle.Demo but seattle.demo does ... > Would it just be better if we left nothing but the web servers in the dmz ...
    (microsoft.public.isa)