RE: shared home directory placement

you can have more than one DMZ. Like I have a production DMZ and a
private DMZ. So it's not a terrible idea to do this....

You should just make sure your firewall ACL's are good and only allows
LAN access. You might also want to put the unix folks on a different
vlan for ease of maintenance. Then you should be rock solid.

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Jason
Sent: Monday, January 07, 2008 7:46 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: shared home directory placement

hello all, I have a best practices question. I have a large pool of unix
folks that have shared storage for home directories (NFS). Right now,
they only have access to these directories from systems that are located
in the TRUST zone of our network, but we are redesigning things to
segment systems further which will put some systems into a less trusted
zone. When it's all said and done, hosts that will be in a dmz and
hosts that will be in trust will still need access to this NFS server.
What I was wondering is if it would be a Terrible Idea to move the NFS
server into a DMZ of it's own, out of the Trust zone, and allow access
to it from the hosts in different DMZs as well as hosts in the trust
zone. If the NFS server is compromised by an upstream system, policy
won't allow that system to initiate connections outside of it's own DMZ.

I guess the short question is have any of you setup shared storage that
is accessible from trusted and non trusted zones?

Luck favors the prepared

This email, its contents and attachments contain information from j2 Global Communications, Inc. and/or its affiliates which may be privileged, confidential or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is prohibited. If you have received this email in error please notify the sender by reply e-mail and delete the original message and any copies.