RE: Deploying a DMZ Internationally
From: Chris LYnch (lynch00@msn.com)Date: 07/27/01
- Previous message: Tom Geldner: "RE: Remote Administration on W2K"
- In reply to: Led Slinger: "Deploying a DMZ Internationally"
- Next in thread: Robert Claeson: "Re: Deploying a DMZ Internationally"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Chris LYnch" <lynch00@msn.com> To: <leds@darkwater.net> Subject: RE: Deploying a DMZ Internationally Date: Fri, 27 Jul 2001 13:28:47 -0700 Message-ID: <000001c116da$be622830$e545173f@home>
Well,
I cannot tell you how to really do an International roll-out. But, I
can tell you that going the "VLAN-DMZ" route is a good idea. From what
I have been told (from CCNP's and CCIE's), you cannot hack into a VLAN
remotely. You would have to be either on the physical wire, or have
physical access to the router/switch that is the managing VLAN node.
I can tell you that if I were in your situation, I would look at going
the VLAN-DMZ way. It sounds like a good idea, and one that can work.
You just need to make sure that you do the following:
1. Do not put in an ILS capable NIC (one that can participate in
multiple VLANs). This will open up some security holes (from what I
have been told by the same CCNP's and CCIE's).
2. Take any and all Intra-network services off of the servers that will
belong on the DMZ. You do not want your servers that will be on the DMZ
capable of communicating back to your Private and secure network.
I probably missed some things, but that is where I would start.
Chris Lynch, MCSE CCNAv2
Lynch00@msn.com
-----Original Message-----
From: Led Slinger [mailto:leds@darkwater.net]
Sent: Friday, July 27, 2001 5:39 AM
To: security-basics@securityfocus.com
Subject: Deploying a DMZ Internationally
The company that I work for is in the process of correcting a very old
and misguided philosophy on Server access. Traditionally they simply
punched holes through the firewall and allowed access to certain
servers (Individual Projects) within the corporate network
infrastructure. It's been a tremendous challenge to get them to
realize how dangerous it is to allow connectivity behind the protection
of the firewall. SADMIN/IIS and Code Red worked very well though.
<grin> The major hurdle right now is that they have built this legacy
infrastructure internationally and so we're looking at two options:
1. Suck it up and deal with the pain of locating boxes in two places:
a U.S. and European based DMZ. There is quite a bit of logistics
involved with moving servers to these DMZs and the warfare that will
surely start the moment you take these servers out of the hands of
those that currently (mis)manage them locally.
2. Someone suggested that we create a 'VLAN DMZ'. I have to admit
that I am not entirely familiar with the risk versus reward of this
one. I understand that this would enable the current sytem
administrators to keep their machines where they are and still somewhat
isolate them from the corporate infrastructure. Something about
carrying this traffic over the corporate backbone still seems a bit odd
to me.
I was hoping that someone might have dealt with a similar situation and
could provide a litle feedback on the risk/rewards of these two
solutions or maybe know of a better solution altogether.
Thanks in Advance!
Leds...
-- There's nothing wrong with Windows until you install it........
- Previous message: Tom Geldner: "RE: Remote Administration on W2K"
- In reply to: Led Slinger: "Deploying a DMZ Internationally"
- Next in thread: Robert Claeson: "Re: Deploying a DMZ Internationally"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
