RE: Extending the DMZ
- From: "David Gillett" <gillettdavid@xxxxxxxx>
- Date: Fri, 17 Oct 2008 11:08:01 -0700
Instead of putting the server itself on the DMZ, put a proxy
on the DMZ that relays (only) the needed services to the internal
blade server.
David Gillett
-----Original Message-----
From: CORP John Porter [mailto:jporter@xxxxxxxx]
Sent: Wednesday, October 15, 2008 7:58 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Extending the DMZ
We have an ASA with a separate interface for the DMZ.
Connected to that interface is a layer 2 switch, and then the
DMZ servers. The Windows guys, working with Application
development, have created a new server, in a blade center.
The blade center has a layer 3 switch built in, which is
connected to our core switch with a 4 port Etherchannel. Now
they want the server they built made available on the
internet. I have told them that the server must be moved to
the DMZ, but they are reluctant to do that because they
already built it on an internal Blade Server. They want me to
create a VLAN on the layer 3 switch and connect 1 port from
the layer 3 switch to the layer 2 DMZ switch, so the server
will be available on the DMZ.
This seems like a very bad idea to me:
- Someone can mis-configure the server and end up with it
acting as a router to pass traffic between the DMZ and inside network
- The layer 3 switch is going to route traffic between the
new VLAN and the inside network
- Even if I manage to lock things down so that it works,
there may be other problems/exploits that make this a bad idea.
Am I just being paranoid, or is this definitely a bad idea?
- References:
- Extending the DMZ
- From: CORP John Porter
- Extending the DMZ
- Prev by Date: Re: Re: RE: Port scan and scvhost overload
- Next by Date: Re: Upptime report tools?
- Previous by thread: Re: Extending the DMZ
- Next by thread: Re: Extending the DMZ
- Index(es):
Relevant Pages
|
