Re: DMZ design

From: DigitalVinyl (DigitalVinyl_at_internet.com)
Date: 11/29/05

• Next message: Moe Trin: "Re: install ipcop"
• Previous message: MikeG: "Re:How about A brilliant piece of software that eliminates Spamware as well"
• In reply to: Ansgar -59cobalt- Wiechers: "Re: DMZ design"
• Next in thread: Leythos: "Re: DMZ design"
• Reply:(deleted message) Leythos: "Re: DMZ design"
• Reply: Ansgar -59cobalt- Wiechers: "Re: DMZ design"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 29 Nov 2005 19:58:59 GMT

Ansgar -59cobalt- Wiechers <usenet-2005@planetcobalt.net> wrote:

>DigitalVinyl wrote:
>> Ansgar -59cobalt- Wiechers <usenet-2005@planetcobalt.net> wrote:
>>> You don't want *any* host in the DMZ to be able to establish
>>> connections into your private network, since that would break the
>>> DMZ. Put the backend servers into the DMZ (or a separate second DMZ).
>>> Replicate (push!) the relevant data from your backend servers to
>>> servers in the DMZ. But *never* *ever* allow connections from the DMZ
>>> to the internal network.
>>
>> In reality this is next to impossible in any real world scenario.
>
>Wrong.

Go into any decent sized enterprise and you will not find that all
inbound traffic from the DMZ is blocked. That's what that says. Your
ruleset set is ONE simple line a DENY SRC:ALL-DMZ-NETS DST:INSIDE ANY.
In a small company with almost no servers that could be possible
largely because you don't do much. But once your shop starting
developing apps and you have dozens of DMZ servers that concept is not
enforceable. Politically you won't win. I wonder if the financial
world manages to maintain that standard. Where SMTP, DNS, NTP, and
every other protocol is restructured to only permit pushes into the
DMZ.

>> What this would mean is near 100% of your servers would be DMZ'd.
>
>Yeah. So?

So one comprimised server in the DMZ could lead to a hundred. It could
increase the layer 2 security requiremnt in the DMZ to be
administratively painful. The rule I use is if the Internet must
reach in and touch the server it should be in a DMZ. Everything else
should be further in. This is a fairly safe thing, since the DMZ must
protects your company from IT'S OWN SERVERS. This is sometimes
forgotten. The Firewall is protecting your inside network from
compromised DMZ servers. Load your DMZs up with non-internet servers
and you've reduced all your security to that of an internet-accessible
server.

DB & servers which hold financial and legal information should be
reviewed if there is a legal obligation to up the protectio even
further (FW'ing the DB from the Inside network as well).

>> If you put SMTP servers in the DMZ they MUST reach in and deliver mail
>> to exchange/notes.
>
>No. It can easily be *pulled* from the SMTP server and fed to Exchange.
>Outbound mail is sent through a smarthost. BTDT. Don't know about Notes,
>though.

I've never heard of that setup. But you'd have to do the same with
every protocol and transfer in existence. You can't use internal NTP
servers, or SMTP gateways, or DNS, or printservers, or sysloggers, or
FTP servers. It all has to be reversed or you need to establish all
those services within the DMZ.

>> DMZ these and you open more problems then you solve because RPC uses
>> 10s of thousands of high ports as service ports.
>
>There's no need to DMZ them.

The exchange team here insists that OWA (the web-access server for
Exchange) must be in the same network as Exhcnage and domain
controller. It's likely that it is total hogwash but it sets up a
common political problem. The network/security group is pitted against
other departments trying to reasearch/prove/discredit what tehy say is
true to justify that the above guidelines are adhered to. That's
where this stuff falls apart over time. The human element makes it
impossible.

>cu
>59cobalt

---

• Next message: Moe Trin: "Re: install ipcop"
• Previous message: MikeG: "Re:How about A brilliant piece of software that eliminates Spamware as well"
• In reply to: Ansgar -59cobalt- Wiechers: "Re: DMZ design"
• Next in thread: Leythos: "Re: DMZ design"
• Reply:(deleted message) Leythos: "Re: DMZ design"
• Reply: Ansgar -59cobalt- Wiechers: "Re: DMZ design"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: newbie to DMZ ... Someone who breaks into a server on the DMZ cannot ... install a sniffer there and gain leverage toward your internal network. ... The DMZ is for servers accessible from the outside world. ... > the Internet the ither is for my Network. ... (Security-Basics) Re: One domain controller for several dmzs ... DMZ for Windows network traffic. ... > servers into a different network that the web servers. ... (microsoft.public.windows.server.active_directory) Re: How to decide on which network interface domain controller is available ... We are having two servers and I decided that for us it is ... (DC and Internet Gateway/Servers). ... with clients) and an external network. ... nullifying the security of having a DMZ, since if the DC on the DMZ ... (microsoft.public.win2000.active_directory) RE: Gurus: server on perimeter vs. corporate advice ... I personally have implemented SharePoint in both environments (DMZ & internal ... front-end servers. ... on their internal network and due ... (microsoft.public.security) RE: Question about DMZ Domain Member and Virus Membership ... test and audit the servers regularly. ... Question about DMZ Domain Member and Virus Membership ... Tailor your education to your own professional goals with degree ... Computer Emergency Response Teams, and Digital Investigations. ... (Security-Basics)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)