Re: How to create a manageable DMZ architecture?



On Nov 20, 4:38 am, Leythos <v...@xxxxxxxxxxx> wrote:
In article <b742ef56-cc3a-4703-80e6-
579b081ce...@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, clintpa...@xxxxxxxxx says...

My problem is that there are services on my internal LAN, such as
Kerberos, NTP, DNS queries & xfers, etc, that I need my servers on my
DMZs to access. I am thinking of building 2 DMZs; one for my web
servers and the other for my DB servers. After doing a little DMZ
design research I found two threads that make me wonder:

Is sounds like your web server is part of your windows active directory
or domain structure in the lan - BAD MOVE.

All of my servers and firewalls are running OpenBSD. There are no
Windows machines on the entire network, only some FreeBSD and Macs.
All use Kerberos for sign-on.

As for SQL - your application should be connecting over TCP 1433 using a
user/password connection, not a Windows Authentication connection.

I'm using Postgresql, which uses Kerberos as the authentication
mechanism. I guess I could use username/password.

NTP - no need to allow it to access the LAN, have it sync with the same
public NTP server as your main NTP server.

True.

DNS - again, you could open TCP 53 between the DMZ and LAN, but the web
server has no reason to know the name of any node in the lan, so you
don't need DNS.

You make a good point. I thought of that right after I hit send.

You appear to think that you can have a AD/Domain server in the DMZ and
still call it a DMZ - you can't.

I don't even know what this means. Are you saying that AD/Domain is
like Kerberos for Windows? If so, are you basically saying I should
not use Kerberos on my DMZ?

The server in the DMZ should be a stand alone server, not part of your
LAN network or AD.

Thanks Leythos, I'll make a note of that.
.