AW: Deploying a DMZ Internationally
From: Stefan Osterlitz (ostrlitz@blox.de)Date: 07/30/01
- Previous message: HOULE, FRANCIS: "cisco VPN client + Nortel VPN client??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Stefan Osterlitz" <ostrlitz@blox.de> To: <leds@darkwater.net>, <security-basics@securityfocus.com> Subject: AW: Deploying a DMZ Internationally Date: Mon, 30 Jul 2001 12:46:21 +0200 Message-ID: <C5FEADB4FB3EE543959CE43DEE2ABE4E35CC@trendserver.blox.blox.ag>
1. Suck it up and deal with the pain of locating boxes in two places:
a U.S. and European based DMZ. There is quite a bit of logistics
involved with moving servers to these DMZs and the warfare that will
surely start the moment you take these servers out of the hands of
those that currently (mis)manage them locally.
Your description sounds to me like you have those servers distributed evenly
through your network.
If you want to allow external access (via laptops etc) you might want to
consider a vpn-dialin solution.
Your roaming users can dial in to an isp near them, get authenticated
domain-wide via kerberos, transfer their data with strong encryption. That
way you might allow to have them dialin to your network without "holes in
the firewall". The setup would look like this:
[remote user (vpn interface)]-[internet]-[firewall]-[(vpn
interface)gateway+firewall]-[internal net]
[
]
This is fairly cheap and secure. You do not need to touch your legacy
internal structure.
You can shape your traffic well because you know the main entrances.
Additionally you can easily monitor your external traffic at it's entry
points.
Beware, that this is not "best practice".
That would require that you set up frontend servers in the dmz and leave the
backend servers in the internal net.
2. Someone suggested that we create a 'VLAN DMZ'. I have to admit
that I am not entirely familiar with the risk versus reward of this
one. I understand that this would enable the current sytem
administrators to keep their machines where they are and still somewhat
isolate them from the corporate infrastructure. Something about
carrying this traffic over the corporate backbone still seems a bit odd
to me.
That means that you install one vpn adapter on each host and allow internal
access as well as "external".
where is the security in this setup:
external - vpn ---------------------------------|
| |
host1 host2
internal - lan-----|----------------------------|
As you can see, there is no firewall between lan and vpn, therefore they
have the same trust level.
There is no additional security in this setup, apart from the encryption.
You still have to trust the
external access.
a real dmz setup would look like this:
(dmz)
external ------------ firewall - frontend host - firewall - backend host
(vpn clients) |
|
internal -----------------------------|
(local clients)
You would not have to move your backend servers either, if you do not want
to.
Install a good frontend server, which you can administer freely and disallow
any access to the backend for clients. The only data to pass through the
second firewall may come from the frontend or your console.
Stefan Osterlitz
- Previous message: HOULE, FRANCIS: "cisco VPN client + Nortel VPN client??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
