Near and far dmz (is this model secure)

From: Christiaan Ehlers (chrisehlers_uk@yahoo.co.uk)
Date: 10/04/02

• Next message: flex: "Re: Can someone help me with NetIQ ?"
• Previous message: : "Re: time offset"
• Next in thread: Leonid Rosenboim: "Re: Near and far dmz (is this model secure)"
• Reply: Leonid Rosenboim: "Re: Near and far dmz (is this model secure)"
• Reply: : "Re: Near and far dmz (is this model secure)"
• Reply: Useko Netsumi: "Re: Near and far dmz (is this model secure)"
• Reply: : "Re: Near and far dmz (is this model secure)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Christiaan Ehlers" <chrisehlers_uk@yahoo.co.uk>
Date: Fri, 4 Oct 2002 15:30:13 +0100

We have to secure our nework, where we have an mail gateway (accepting
connections from the outside) which forwards it to exchange servers. Now I
believe in a strict DMZ policy where there is NO connections from the
outside or DMZ into the internal network.

My manager disagrees because he says that he wants the exchange in the
internal network and does not trust it on the DMZ (i can see his side of it
sine the whole companys mail is on the exchange server)

He proposed a scheme using a near and far DMZ. Basicaly the far-dmz allows
traffic from the internet, near-dmz and internal network. The near-dmz
allows connections from only the far-dmz and internal network. The internal
network would ultimately only allow limited connections from the near-dmz.
The last point I dont agree with I believe that the internal network should
not allow ANY incomming connections... Am I being to paranoid? Is this
model a trusted way of doing things? Is there a way that the top descibed
exchange setup can be made secure?

They are also planning extra server like rass server that might need access
to the internal network, I guess it is better having stuff like this sit on
a near dmz than on the internal network

any comments sugestions will help

regards
christiaan ehlers

---

• Next message: flex: "Re: Can someone help me with NetIQ ?"
• Previous message: : "Re: time offset"
• Next in thread: Leonid Rosenboim: "Re: Near and far dmz (is this model secure)"
• Reply: Leonid Rosenboim: "Re: Near and far dmz (is this model secure)"
• Reply: : "Re: Near and far dmz (is this model secure)"
• Reply: Useko Netsumi: "Re: Near and far dmz (is this model secure)"
• Reply: : "Re: Near and far dmz (is this model secure)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Near and far dmz (is this model secure) ... I think that your boss is right, the Exchange servers should be on the ... in a DMZ via VPN tunnel. ... connections from the DMZ to the internal network, ... (comp.security.firewalls) NetBIOS into DMZ ... The current proposal is to have a mimesweeper gateway in the DMZ. ... management of the box would be from the internal network over NetBIOS ... connections and remote control software. ... (comp.security.firewalls) Re: Near and far dmz (is this model secure) ... > connections from the outside) which forwards it to exchange servers. ... > outside or DMZ into the internal network. ... It will add a little extra lag to your incoming mail depending on how often ... (comp.security.firewalls) Re: Near and far dmz (is this model secure) ... > need access from the internet to the server. ... > the DMZ. ... >> connections from the outside) which forwards it to exchange servers. ... >> outside or DMZ into the internal network. ... (comp.security.firewalls) Re: Deploy Exchange on DMZ or backend? ... If you are trying to connect your clients to the Exchange servers and they ... are on the internal network you don't need to install anything in a DMZ. ... (microsoft.public.exchange.design)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)