Re: Host placement and DMZ internal/external questions.

• Previous message: Alloishus BeauMains: "Re: RE: Wireless Security"
• In reply to: Adam T: "Host placement and DMZ internal/external questions."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 19 Oct 2005 20:28:25 +0530
To: security-basics@securityfocus.com

On 13/10/05 17:34 -0400, Adam T wrote:
> I have a few questions I have about dmz internal and external networks
> that I need help with.
>
> 1 if you have a host such as citrix that must have access to the
> internal network does that sit on your DMZ?

Generally, it is a bad idea to allow connections from zones with lower
security to zones with higher security. Personally, I would say that you
use a VPN and a separate DMZ reachable only from your VPN concentrator
to use Citrix.

world --> Firewall --> DMZ1

users --> VPN conc --> DMZ 2 ---> Internal

>
> 2 antivirus mail gateway servers / Antivirus update server does that
> sit on your DMZ ?
>
Your gateway server would be part of your firewall. Block all port
25/tcp requests outbound, except from your internal mailhubs. The
mailhubs relay via outbound mail gateways in the DMZ.

Antivirus update servers should be internal. Alternatively, you _could_
migrate to a non Windows OS and avoid the antivirus all-together.

> 3 a squid proxy that internal hosts access
>
This would again be part of your firewall, and sit in the DMZ. Have the
packet filter block all outbound requests to the world except those going
to the proxy.

> with the examples above do I place the hosts on the DMZ and then
> modify firewall rules so that the host has the access they need to
> perform as an internal network host? if so how is that different than
> opening up a specific port directed to a specific host on internal
> network for outside world access?
>
> part of my confusion lies in that when I think DMZ I think that the
> host should never touch the internal network and be left out in the
> DMZ alone.
>
Connections initiated from the DMZ should not go to the internal
network. However, responses to connections initiated from the internal
network should go to the DMZ.

Devdas Bhagat

• Previous message: Alloishus BeauMains: "Re: RE: Wireless Security"
• In reply to: Adam T: "Host placement and DMZ internal/external questions."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Re: Re: VM Host with guests on the Internal and DMZ networks ... So are you saying that you should put your HOST in the DMZ. ... NIC and then add and IP Address that would work on the inside network while ... I would question the sysadmins level of competency. ... (Security-Basics) Re: DMZ Arguments.... ... A DMZ is used with a firewall, ... link to the rest of the network. ... A common approach for an attacker is to break into a host that's vulnerable ... the case of a web server, unauthenticated and untrusted users might be ... (Security-Basics) Re: [fw-wiz] Rationale of the great DMZ ... >DMZ and its implied security has changed. ... Network activity wouldn't ... >necessarily begin from the DMZ and be tunneled in to the internal network. ... >Commonly SSL accelerators terminate the SSL end point prior to the ... (Firewall-Wizards) Host placement and DMZ internal/external questions. ... I have a few questions I have about dmz internal and external networks ... internal network does that sit on your DMZ? ... modify firewall rules so that the host has the access they need to ... (Security-Basics) Re: Firewall and DMZ topology ... attacker cannot spread his influence across the network. ... If the DMZ resides between the public Internet and the ... Should the DMZ be behind the LAN and not split off at the firewall, ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ... (Security-Basics)