Re: Extending the DMZ
- From: "Michael Condon" <admin@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 16 Oct 2008 14:55:23 -0500
Is it feasible to add another Ethernet interface to the server, connect that to the DMZ, and disable routing between the two interfaces?
----- Original Message ----- From: "CORP John Porter" <jporter@xxxxxxxx>
To: <security-basics@xxxxxxxxxxxxxxxxx>
Sent: Wednesday, October 15, 2008 9:58 AM
Subject: Extending the DMZ
We have an ASA with a separate interface for the DMZ. Connected to that
interface is a layer 2 switch, and then the DMZ servers. The Windows
guys, working with Application development, have created a new server,
in a blade center. The blade center has a layer 3 switch built in, which
is connected to our core switch with a 4 port Etherchannel. Now they
want the server they built made available on the internet. I have told
them that the server must be moved to the DMZ, but they are reluctant to
do that because they already built it on an internal Blade Server. They
want me to create a VLAN on the layer 3 switch and connect 1 port from
the layer 3 switch to the layer 2 DMZ switch, so the server will be
available on the DMZ.
This seems like a very bad idea to me:
- Someone can mis-configure the server and end up with it acting as a
router to pass traffic between the DMZ and inside network
- The layer 3 switch is going to route traffic between the new VLAN and
the inside network
- Even if I manage to lock things down so that it works, there may be
other problems/exploits that make this a bad idea.
Am I just being paranoid, or is this definitely a bad idea?
- References:
- Extending the DMZ
- From: CORP John Porter
- Extending the DMZ
- Prev by Date: RE: Extending the DMZ
- Next by Date: L7 Firewalls
- Previous by thread: RE: Extending the DMZ
- Next by thread: RE: Extending the DMZ
- Index(es):
Relevant Pages
|
