Securing the DMZ and Trusted domain with a firewall

From: Christopher Brisley (chris.brisley@invaluable.com)
Date: 06/06/02


From: "Christopher Brisley" <chris.brisley@invaluable.com>
Date: Thu, 6 Jun 2002 05:03:44 -0700


I currently have two subnets (trusted and DMZ) both
separated by a Cisco Pix 520 firewall. In the DMZ we have
IIS 4 web servers and in the trusted domain we have
Exchange 5.5 using SMTP proxy client, SQL Server 7 and
proxy 2 server directly connected and therefore packet
filtering. All servers in the DMZ and trusted are multi
homed and span both Subnets (bypassing the firewall).

Many bespoke programs utilise a UNC path to access the
servers in the DMZ and update various websites. In
addition, development technology employed is ADO (ActiveX
Data Objects utilising COM/DCOM and MTS/DTC and SQL Server.

We are currently changing our ISP's and therefore our
firewalls, I currently consider our current implementation
to be a major security risk and wish to redesign the
topology.

I wish to remove all multi-homed servers so that a server
only exists in it's own domain and must pass through the
firewall to the DMZ servers.

We currently employ Windows NT 4 Server architecture using
WINS and DHCP in the trusted domain. In the DMZ, the two
main web servers are the PDC and BDC of that domain.

Obviously the best way to secure the trusted domain from
the DMZ is not to open up the firewall at all but
obviously this is not feasible with bespoke systems
requiring a UNC path a SQL and transaction server needing
access through to the respect subnet.

I have many ideas but wish to hear from the various expert
communities, comments please?



Relevant Pages

  • Re: Securing the DMZ and Trusted domain with a firewall
    ... you can setup firewall to have DMZ completely separate, ... > separated by a Cisco Pix 520 firewall. ... All servers in the DMZ and trusted are multi ... > WINS and DHCP in the trusted domain. ...
    (microsoft.public.security)
  • Re: AD requirements for DMZ?
    ... By standards it is a bad idea to have dc's in a dmz even if they are only used for external access. ... Consider creating a 2008 AD and firewall off the RWDC and provide the RODC's themselves unfettered access to the RWDC. ... In our internal lab environment, we have 3 servers setup as Windows NLB. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Using SQL server through a Firewall
    ... In the DMZ we have ... All servers in the DMZ and trusted are multi ... > homed and span both Subnets (bypassing the firewall). ... > WINS and DHCP in the trusted domain. ...
    (microsoft.public.sqlserver.security)
  • RE: Basic Network Configuration
    ... Yes, mail servers, web servers, ftp etc are your DMZ buddies. ... firewall> dmz> firewall> lan layout but physically it does not. ...
    (Security-Basics)
  • Re: Moving servers beind firewall
    ... >> I need to move two servers from outside a firewall to a DMZ. ... >> from both the internet and internal segments. ... I may as well keep those servers outside the ...
    (comp.os.linux.security)