How to create a manageable DMZ architecture?

My problem is that there are services on my internal LAN, such as
Kerberos, NTP, DNS queries & xfers, etc, that I need my servers on my
DMZs to access. I am thinking of building 2 DMZs; one for my web
servers and the other for my DB servers. After doing a little DMZ
design research I found two threads that make me wonder:

1) Never let a server on a public accessible DMZ segment initiate a
connection to a server on a higher security segment (i.e. server in
the LAN).

2) To allow administrative access to servers in the DMZ, create an out-
of-band management subnet by installing another NIC on each of the DMZ
servers. This dedicated NIC would allow administrative access,
Kerberos, NTP, etc. None of these servers would allow packet

With #1 being stated, how do you allow DMZ'ed hosts to access these
internal services that are cannot be easily replicated? Replicating
all of these services for each DMZ as well as the LAN sounds like an
administrative nightmare.

#2 made me wonder whether security is really gained. Couldn't all of
this service and administrative access take place over the main
communications channel (i.e. in-band) with less hardware and
configuration? It seems like the only thing gained would be access to
the servers via the out-of-band channel in the event of a DoS on the
in-band channel.

What are some of your DMZ design guidelines and best practices?

Would it be so bad to just poke a few holes through the firewall from
the DMZ to the LAN and then really lock down those internal servers,
not allowing them to initiate connections outside of their local

Relevant Pages

  • Re: Correct routing/DNS config for dual-homed 2000 svr
    ... Your DMZ Servers should have one NIC that is connected to your firewall ... specified traffic in/out of of your DMZ and LAN. ... We have two internal DNS machines and are ...
  • Re: Is there such thing as a multiple external IP to Lan IP firewall/router???
    ... >>the Pro 100 for public webservers, ftp servers etc. because of the DMZ ... >>client on a local LAN so I can do updates to the website quickly on the ... In my case my webserver is a standalone server two NICs, ...
  • Re: Man gets nine years for spamming
    ... Here is the problem with blocklisting countries. ... away from windows if possible to anything on your DMZ. ... No. DMZ resources do not equate to LAN resources. ... The servers in the DMZ SHOULD NOT be dual homed back ...
  • Re: Perimeter Firewall/UTM Suggestions?
    ... and out to/from our servers. ... Allow the internal and DMZ interfaces to work in either NAT or Route ... The basic scenario is that outbound access for our LAN users would be ...
  • Re: Real IPs
    ... First, I'm assuming you have servers which serve incoming ... connections from the internet. ... How you configure your DMZ is up to you, ... Iptables masquerades your lan traffic for you. ...