Re: DMZ design

From: Ansgar -59cobalt- Wiechers (usenet-2005_at_planetcobalt.net)
Date: 11/29/05

• Next message: MikeG: "Re:How about A brilliant piece of software that eliminates Spamware as well"
• Previous message: Ansgar -59cobalt- Wiechers: "Re: DMZ design"
• In reply to: DigitalVinyl: "Re: DMZ design"
• Next in thread: DigitalVinyl: "Re: DMZ design"
• Reply: DigitalVinyl: "Re: DMZ design"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 29 Nov 2005 19:30:57 GMT

DigitalVinyl wrote:
> Ansgar -59cobalt- Wiechers <usenet-2005@planetcobalt.net> wrote:
>> You don't want *any* host in the DMZ to be able to establish
>> connections into your private network, since that would break the
>> DMZ. Put the backend servers into the DMZ (or a separate second DMZ).
>> Replicate (push!) the relevant data from your backend servers to
>> servers in the DMZ. But *never* *ever* allow connections from the DMZ
>> to the internal network.
>
> In reality this is next to impossible in any real world scenario.

Wrong.

> What this would mean is near 100% of your servers would be DMZ'd.

Yeah. So?

> If you put SMTP servers in the DMZ they MUST reach in and deliver mail
> to exchange/notes.

No. It can easily be *pulled* from the SMTP server and fed to Exchange.
Outbound mail is sent through a smarthost. BTDT. Don't know about Notes,
though.

> DMZ these and you open more problems then you solve because RPC uses
> 10s of thousands of high ports as service ports.

There's no need to DMZ them.

cu
59cobalt

-- 
"Another option [for defragmentation] is to back up your important files,
erase the hard disk, then reinstall Mac OS X and your backed up files."
--http://docs.info.apple.com/article.html?artnum=25668

---

• Next message: MikeG: "Re:How about A brilliant piece of software that eliminates Spamware as well"
• Previous message: Ansgar -59cobalt- Wiechers: "Re: DMZ design"
• In reply to: DigitalVinyl: "Re: DMZ design"
• Next in thread: DigitalVinyl: "Re: DMZ design"
• Reply: DigitalVinyl: "Re: DMZ design"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: DMZ design ... >> into your private network, since that would break the DMZ. ... Put the>> backend servers into the DMZ. ... By segmenting the networks and using non-default ports in the backend processing, access from the Public net to the BEP can only be achieved by software in the DMZ properly configured. ... (comp.security.firewalls) Re: W2K3 domain in DMZ ... as each one is the gate to that entire private network. ... > Yes a single domain DMZ ... > Main concerns is getting a DMZ that we can centrally manage and backup ... > server, ... (microsoft.public.windows.server.security) RE: DMZ and VPN ... > I'm curious as to how it applies to a server providing VPN ... > have one interface on the private network, and the other in a DMZ ... (Security-Basics) Dual NICs, Routing Problem ... I am using SLES 9 & have a server set up with dual NICs, ... from my DMZ and the other has the IP of a private network that my ... DMZ subnet: 192.1.34.0 ... I should be able to make the default gateway to ... (alt.os.linux.suse) Re: Where to Put SSH Server? ... > I'm setting up a network with a private network and a DMZ. ... Should I put the SSH server on a machine on the private ... "Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten ... (comp.security.firewalls)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.firewalls  > 2005-11