Re: Is a DMZ necessary?
From: Somebody. (somebody._at_spamout.russdoucet.com)
Date: 10/16/05
- Next message: Somebody.: "Re: VPN Choices"
- Previous message: Chris: "Re: Translation Rule"
- In reply to: Frankster: "Re: Is a DMZ necessary?"
- Next in thread: Leythos: "Re: Is a DMZ necessary?"
- Reply:(deleted message) Leythos: "Re: Is a DMZ necessary?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 16 Oct 2005 08:30:02 -0400
"Frankster" <Frank@SPAM2TRASH.com> wrote in message
news:cLudncrpjpM4vczeRVn-rA@giganews.com...
>> The main purpose of a DMZ in your situation is to limit the ability of
>> the server to a) be compromised from the internal machines...
>
> I think you mean *external* machines here... right?
No, I don't. That's the firewall's job, and if it's properly configured,
the incoming and outgoing rules for the server should be basically the same
whether your server is in the DMZ or the Internal zone. But, if your server
is *not* in a DMZ, if a user, say, brings in an infected laptop, than your
sever is completly vulnerable to it. If you put your server in a DMZ, you
can put controls on the internal machines' capabilities of communicating
with it, just as if they were outside machines.
>
>> and b) to attack the internal machines if it is compromised.
>
> Yes.
>
>> Putting it in a properly configured DMZ allows only the absolute minimum
>> communication in AND out from the server.
>
> You don't need a DMZ to do that, do you? You can have exactly the same
> limitations on communitarian from/to the LAN from that machine whether it
> is in a DMZ zone or not, right? Can you offer any reason why a DMZ is
> better?
How are you going to stop the infected laptop from going to town on your
server? By hardening it? By that logic, you should put your server on a
raw internet feed. Putting it on a DMZ allows you to use your firewall to
protect your server from inside machines too.
>> If your firewall has sufficient bandwidth capability, there is no reason
>> not to put an internal server in a DMZ, but many low-end firewalls can't
>> handle doing their job at LAN speeds, hence the (misguided)
>> recommendation above.
>
> I see NO mention whatsoever of speed having any relationship whatsoever
> with those recommendations (actually ideas, not recommendations) in the
> original post. Are you just taking this opportunity to slam firewall
> products selling for less than $5000?
No, I'm just point out the very obvious fact that if you try to put your
database server behind a firewall that cost you $1000, it is not going to do
Intrustion protection at 100Mbps, and will therefore severely limit your
server bandwidth to your internal users. That's what the original
recommendations said, putting your firewall in a DMZ will hurt it's
performance. But that's only because the firewalls they are thinking about
are insufficiently powerful to handle such traffic. You an buy firewalls
that will handle the 100Mpbs you need, or whatever lower number your're
comfortable with, and will therefore not introduce any performance problems
into your network when you put your server behind them using a DMZ.
>
>> A good firewall will do much more than just stop unauthorized traffic in
>> and out, but it will actually recognize nefarious in-band traffic, that
>> is, dangerous payloads in allowed ports and protocols, such as SQL
>> attacks.
>
> Agreed. And that "good" firewall you are talking about will do just as
> good of a job on a machine inside or outside of a DMZ zone. Right?
Again, you can't protect it from internal machines without using a DMZ.
That's the point of the DMZ. Ok?
>
>> These types of firewalls are even more useful to your server and network
>> security when properly utilized like this with a DMZ to protect the
>> server.
>
> You give no rational about the DMZ being better. Just a gut feeling?
Hopefully by now you get the idea, I won't repeat myself again on that
point.
>
>> You can have a windows server that is part of a DMZ and also your domain,
>> but then you will need to open up the domain communication ports between
>> the DMZ server and the PDC. Which does increase your risk of a
>> compromise of some certain types if your PDC is also compromised, but a
>> greatly, greatly reduced risk than having your servers fully accessable
>> to everything.
>
> If only necessary communication is opened from the server in question to
> the LAN, what difference if the server is in or out of a DMZ? Can you
> explain. Either way you can limit communication to the same
> ports/services...right?
>
> -Frank
That would be about, what the 5th time? Surely by now you see the issue.
-Russ.
- Next message: Somebody.: "Re: VPN Choices"
- Previous message: Chris: "Re: Translation Rule"
- In reply to: Frankster: "Re: Is a DMZ necessary?"
- Next in thread: Leythos: "Re: Is a DMZ necessary?"
- Reply:(deleted message) Leythos: "Re: Is a DMZ necessary?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
