Re: How to create a manageable DMZ architecture?



In article <b742ef56-cc3a-4703-80e6-
579b081ce7ce@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, clintpachl@xxxxxxxxx says...
My problem is that there are services on my internal LAN, such as
Kerberos, NTP, DNS queries & xfers, etc, that I need my servers on my
DMZs to access. I am thinking of building 2 DMZs; one for my web
servers and the other for my DB servers. After doing a little DMZ
design research I found two threads that make me wonder:

Is sounds like your web server is part of your windows active directory
or domain structure in the lan - BAD MOVE.

As for SQL - your application should be connecting over TCP 1433 using a
user/password connection, not a Windows Authentication connection.

NTP - no need to allow it to access the LAN, have it sync with the same
public NTP server as your main NTP server.

DNS - again, you could open TCP 53 between the DMZ and LAN, but the web
server has no reason to know the name of any node in the lan, so you
don't need DNS.

You appear to think that you can have a AD/Domain server in the DMZ and
still call it a DMZ - you can't.

The server in the DMZ should be a stand alone server, not part of your
LAN network or AD.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@xxxxxxxxxx (remove 999 for proper email address)
.



Relevant Pages

  • Re: Web portal security
    ... win2003 standard server with IIS, SSL enabled and will be placed on ... So I will be fwding port 443 in firewall to my DMZ port. ... Well, assuming you are going to use teh SQL database from SBS, you can ... subnet than my LAN and map one to one from firewall to dmz. ...
    (microsoft.public.windows.server.sbs)
  • Re: 2 NICs Configuration Problem
    ... Servers on the DMZ are public, ... provides NAT for the LAN machines, allowing them to reach the Internet ... effectively bypassing firewall filtering to that server. ... Ethernet adapter Server Local Area Connection: ...
    (microsoft.public.windows.server.networking)
  • Re: Where to put the server
    ... Put the 2003 IIS Server in the DMZ. ... SBS box or another LAN server. ...
    (microsoft.public.backoffice.smallbiz2000)
  • RE: fedora-list Digest, Vol 6, Issue 266
    ... Re: OT: Setting up a forwarding mail domain in DMZ without ... Re: Sound Problem ... downloaded the yum.conf for fedora from Redhat's website. ... Server: Fedora.us Extras ...
    (Fedora)
  • Re: Groklaws "Bias" and the SCO DDoS Attack
    ... >on the same local LAN your office machines are you can congest that ... routers, with port 80 redirected to a web server on the LAN side. ... I've also used Sonicwall DMZ routers. ...
    (comp.unix.sco.misc)