Re: How to create a manageable DMZ architecture?



In article <b742ef56-cc3a-4703-80e6-
579b081ce7ce@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, clintpachl@xxxxxxxxx says...
My problem is that there are services on my internal LAN, such as
Kerberos, NTP, DNS queries & xfers, etc, that I need my servers on my
DMZs to access. I am thinking of building 2 DMZs; one for my web
servers and the other for my DB servers. After doing a little DMZ
design research I found two threads that make me wonder:

Is sounds like your web server is part of your windows active directory
or domain structure in the lan - BAD MOVE.

As for SQL - your application should be connecting over TCP 1433 using a
user/password connection, not a Windows Authentication connection.

NTP - no need to allow it to access the LAN, have it sync with the same
public NTP server as your main NTP server.

DNS - again, you could open TCP 53 between the DMZ and LAN, but the web
server has no reason to know the name of any node in the lan, so you
don't need DNS.

You appear to think that you can have a AD/Domain server in the DMZ and
still call it a DMZ - you can't.

The server in the DMZ should be a stand alone server, not part of your
LAN network or AD.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@xxxxxxxxxx (remove 999 for proper email address)
.