RE: Patching/ AV on the DMZ

One remedy is placing a VM with WUS on the DMZ and restricting access,
thus only allowing access from the Windows Update Servers to that DMZ VM
Host. In addition, you can then have the internal WUS pull updates
directly from the DMZ host machine isolating ports and Ip addresses to
only allow the internal WUS server communication to the DMZ Host.

One reason for doing this is that if the DMZ server is compromised it
still adds a layer of security to your internal network. In addition, if
the internal WUS is compromised it's pretty evident where you got
attacked from.

Hope this helps... Sorry for the grammatical mistakes too.. :)

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of fac51@xxxxxxxxx
Sent: Monday, October 08, 2007 3:59 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Patching/ AV on the DMZ

I would like to know what the risks are of retriving patches over the
internet rather that sneakernet. Currently all patch and AV updates are
completed by us in the old fashioned way. I would like to open those DMZ
hosts to our internal WSUS.
Am I asking for a world of hurt?

Thanks in advance.


Relevant Pages

  • RE: fedora-list Digest, Vol 6, Issue 266
    ... Re: OT: Setting up a forwarding mail domain in DMZ without ... Re: Sound Problem ... downloaded the yum.conf for fedora from Redhat's website. ... Server: Extras ...
  • RE: Webserver on a DMZ still needed?
    ... Certainly your suggestion to have a email server in a DMZ but still have ... having the exchange server on the internal LAN with only the smtp ports ... Talking of the financial cost of setup by the book vs the security cost ...
  • Re: Man gets nine years for spamming
    ... > I don't think we've ever had web access. ... > connect to an inner server where you logged in and actually did stuff. ... We have 12 DMZ interfaces. ... the DMZs and in between the Internet routers and the first ...
  • RE: [fw-wiz] Backup exec agent in dmz
    ... named.conf file and the zonefiles off the the NT box in the DMZ. ... on the Apache server, ... backup tape library in this DMZ and backup all your servers to the new DMZ. ... what do you really need to back up on the DNS and web servers? ...
  • RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good
    ... The ISA acting as a proxy in the DMZ is a good option I think ... because ISA is designed to work with OWA or is it the other way round. ... in the DMZ or an ISA Server. ...