Re: Near and far dmz (is this model secure)

Date: 10/04/02

From: "Leonid Rosenboim" <MY_FIRST_NAME@CONSULTANT.COM>
Date: Fri, 4 Oct 2002 17:08:00 +0200

I think that your boss is right, the Exchange servers should be on the
Internal network.

I do not see however, how the creation of two DMZs will change things.
It might be a good idea if you had more services, say you where an
company, then I would advise to put some front-end servers on hosting
(that is your far-DMZ), that are allowed to talk to some back-end servers
in a (near) DMZ via VPN tunnel.

If this is mainly for mail however, you need to allow incoming SMTP
connections from the DMZ to the internal network, but you can
mittigate some of the risks involved if you also use an SMTP-aware
firewall between the DMZ and internal network, so even somebody
who has access to the DMZ won't be able to expoit any Exchange bug
to hack the internal server.

Once you have multiple services in your DMZ, it might be good
idea to crate a DMZ per service, and tightly control how those
different services are talking to eachother. Look at the RN20
switch from, it might make
the idea of multiple DMZs more palletable (and affordable

 - Leonid

"Christiaan Ehlers" <> wrote in message
> We have to secure our nework, where we have an mail gateway (accepting
> connections from the outside) which forwards it to exchange servers. Now
> believe in a strict DMZ policy where there is NO connections from the
> outside or DMZ into the internal network.
> My manager disagrees because he says that he wants the exchange in the
> internal network and does not trust it on the DMZ (i can see his side of
> sine the whole companys mail is on the exchange server)
> He proposed a scheme using a near and far DMZ. Basicaly the far-dmz
> traffic from the internet, near-dmz and internal network. The near-dmz
> allows connections from only the far-dmz and internal network. The
> network would ultimately only allow limited connections from the near-dmz.
> The last point I dont agree with I believe that the internal network
> not allow ANY incomming connections... Am I being to paranoid? Is this
> model a trusted way of doing things? Is there a way that the top descibed
> exchange setup can be made secure?
> They are also planning extra server like rass server that might need
> to the internal network, I guess it is better having stuff like this sit
> a near dmz than on the internal network
> any comments sugestions will help
> regards
> christiaan ehlers

Relevant Pages

  • Re: dmz question
    ... >servers in our internal network on the outside of our internal firewall ... EVEN IF IT'S IN A DMZ. ... internal firewall), and access from the DMZ to the world should be limited ... >the outside firewall exposes the internal network). ...
  • DNS Best Practices
    ... We currently have a DMZ via one-arm routing. ... this DMZ and all are isolated from the internal network. ... best to create a Windows 2003 DNS server in our DMZ for the web servers. ...
  • AD DNS stopping problem
    ... there is a DMZ for the external ... the internal network the DNS services on each DC has a record for the address ... of the servers in the DMZ with there IP addresses for the local network (not ... all processors and after something like 10 minutes the DNS service stops. ...
  • Near and far dmz (is this model secure)
    ... connections from the outside) which forwards it to exchange servers. ... outside or DMZ into the internal network. ... internal network and does not trust it on the DMZ (i can see his side of it ...
  • Microsoft software update server (SUS)
    ... Where is a more secured place to have the SUS installed for the servers in ... Within DMZ or in the internal network? ... If SUS is placed in the internal network, what are the ports to be opened on ... the firewall to allow the traffic? ...