Re: DMZ - Question

On 2007-10-26 Daniel Anderson wrote:
On the DMZ we will have a Web Server that needs access back to the
Mainframe on the LAN, and a Mail server that need access to another
mail server on the LAN.

Bad idea. You don't want hosts in the DMZ to be able to establish
connections into the LAN. That would be breaking the concept of a DMZ
(allow connections from a network with higher security level to a
network with lower security level, but not vice versa).

There are several ways to deal with this problem, e.g. replicate the
information from the servers into the DMZ, use bastion hosts, or put
the servers from the LAN into a second DMZ.

Don't take general rules too far.

You don't want connections from the outside connecting directly to
systems on the inside at all.

Specific systems in the DMZ accessing specific systems/services on the
LAN is normal and acceptable.

The genral rule is: do not allow connections from a network with lower
security level to a network with higher security level. And I'd strongly
recommend against disregarding this rule unless you have some very good
reasons to do so.

Trying too hard to stick to this general rule usually results in worse
systems (replication impacting integrity, additional complexity
impacting availability, etc).

True. However, I don't think this applies to either of the three options
I mentioned above. Not necessarily at least.

These DMZ systems should be minimized and hardened so in effect they
are the bastion host.

Setting up bastion hosts is one of the approaches I mentioned above.
However, depending on which software the server should run, it may not
be possible to make it a bastion host. For example I'd never allow a
webserver running PHP as a bastion host ("Hardened PHP", my ass).

In some environments you would want additional segmentation on the
LAN, but it's probably not realistic or a good idea to move your
mainframe into a DMZ.

Why not? The second DMZ is not directly accessible from the Internet, so
for the mainframe there's no difference to the scenario where the
mainframe is located in the LAN. Only that in the 2-DMZ scenario an
attacker wouldn't have access to the LAN even if he manages to
compromise the (publicly accessible) server in the first DMZ.

Ansgar Wiechers
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Relevant Pages

  • Re: Web portal security
    ... win2003 standard server with IIS, SSL enabled and will be placed on ... So I will be fwding port 443 in firewall to my DMZ port. ... Well, assuming you are going to use teh SQL database from SBS, you can ... subnet than my LAN and map one to one from firewall to dmz. ...
  • Re: 2 NICs Configuration Problem
    ... Servers on the DMZ are public, ... provides NAT for the LAN machines, allowing them to reach the Internet ... effectively bypassing firewall filtering to that server. ... Ethernet adapter Server Local Area Connection: ...
  • Re: Where to put the server
    ... Put the 2003 IIS Server in the DMZ. ... SBS box or another LAN server. ...
  • Re: Groklaws "Bias" and the SCO DDoS Attack
    ... >on the same local LAN your office machines are you can congest that ... routers, with port 80 redirected to a web server on the LAN side. ... I've also used Sonicwall DMZ routers. ...
  • Re: Hosting, in or out?
    ... proprietary SQL based application is the core of the business. ... A new requirement calls for a report only server, ... SBS LAN is called PRIVATE or LAN ... Web LAN is called RESTRICTED or DMZ ...