RE: Question about dmz security

From: David Gillett (gillettdavid@fhda.edu)
Date: 02/18/03

  • Next message: planz: "Re: tools used to examine a computer"
    From: "David Gillett" <gillettdavid@fhda.edu>
    To: <security-basics@securityfocus.com>
    Date: Tue, 18 Feb 2003 13:53:39 -0800
    
    
    

    > -----Original Message-----
    > From: Jennifer Fountain [mailto:JFountain@rbinc.com]
    > Sent: February 14, 2003 11:42
    > To: security-basics@securityfocus.com
    > Subject: Question about dmz security
    >
    > I need an opinion on a current design implementation in
    > place. We have
    > an ftp server sitting in our dmz. This box has two nics - one is
    > plugged into the dmz hub and one is plugged into our network. I think
    > this is a security risk and we should just allow internal users access
    > to the box via the firewall by opening the port instead of having dual
    > nics. they do not see a security risk. maybe i am just too
    > new at this
    > and need some education. what is the "best" way to implement this
    > configuration?

      The POINT of a DMZ is that a firewall mediates traffic between one or
    more somewhat-exposed servers and the secured internal network. The
    private-network NIC on this box is bypassing that, and must be removed.

      The firewall rules which limit traffic between the DMZ and the private
    network should not allow servers in the DMZ to initiate connections into
    the private network, and should restrict the protocols by which internal
    hosts are permitted to initiate connections into the DMZ.

    David Gillett



    Relevant Pages

    • Re: DMZ NT4 TO Internal 2000 AD One-Way Trust via Firewall
      ... leverage an effectivity security policy to ensure that password complexities ... > currently a mess of local and domain users, no security policy, etc. ... DMZ, not publicly accessible) that aren't going away within the stated ... to non-DC web servers in the DMZ on 80 and 443 - none of which are directed ...
      (microsoft.public.windows.server.active_directory)
    • RE: newbie to DMZ
      ... Someone who breaks into a server on the DMZ cannot ... install a sniffer there and gain leverage toward your internal network. ... The DMZ is for servers accessible from the outside world. ... > the Internet the ither is for my Network. ...
      (Security-Basics)
    • Re: One domain controller for several dmzs
      ... DMZ for Windows network traffic. ... > servers into a different network that the web servers. ...
      (microsoft.public.windows.server.active_directory)
    • Re: How to decide on which network interface domain controller is available
      ... We are having two servers and I decided that for us it is ... (DC and Internet Gateway/Servers). ... with clients) and an external network. ... nullifying the security of having a DMZ, since if the DC on the DMZ ...
      (microsoft.public.win2000.active_directory)
    • Re: Basic network layout for Small Business 2003 server
      ... Microsoft to protect your network and data for small businesses that is ... written in very understandable terms compared to a lot of security books. ... > My company is purchasing MS Small Business server 2003. ... Ie, no DMZ? ...
      (microsoft.public.security)