Re: Securing the DMZ and Trusted domain with a firewall

From: S. Pidgorny [MVP] (slavickp@yahoo.com)
Date: 06/06/02 

From: "S. Pidgorny [MVP]" <slavickp@yahoo.com>
Date: Thu, 6 Jun 2002 22:35:13 +1000

Christopher,

you can setup firewall to have DMZ completely separate, and the rules to
pass NetBIOS traffic (UNC access/CIFS in NT uses NetBT) and other types
needed for authentication without degradation of security, but getting rid
of multihoming is a good idea indeed. 

--
Svyatoslav Pidgorny, MS MVP, MCSE
-= F1 is the key =-
"Christopher Brisley" <chris.brisley@invaluable.com> wrote in message
news:bb0c01c20d52$34a93920$b1e62ecf@tkmsftngxa04...
> I currently have two subnets (trusted and DMZ) both
> separated by a Cisco Pix 520 firewall. In the DMZ we have
> IIS 4 web servers and in the trusted domain we have
> Exchange 5.5 using SMTP proxy client, SQL Server 7 and
> proxy 2 server directly connected and therefore packet
> filtering. All servers in the DMZ and trusted are multi
> homed and span both Subnets (bypassing the firewall).
>
> Many bespoke programs utilise a UNC path to access the
> servers in the DMZ and update various websites. In
> addition, development technology employed is ADO (ActiveX
> Data Objects utilising COM/DCOM and MTS/DTC and SQL Server.
>
> We are currently changing our ISP's and therefore our
> firewalls, I currently consider our current implementation
> to be a major security risk and wish to redesign the
> topology.
>
> I wish to remove all multi-homed servers so that a server
> only exists in it's own domain and must pass through the
> firewall to the DMZ servers.
>
> We currently employ Windows NT 4 Server architecture using
> WINS and DHCP in the trusted domain. In the DMZ, the two
> main web servers are the PDC and BDC of that domain.
>
> Obviously the best way to secure the trusted domain from
> the DMZ is not to open up the firewall at all but
> obviously this is not feasible with bespoke systems
> requiring a UNC path a SQL and transaction server needing
> access through to the respect subnet.
>
> I have many ideas but wish to hear from the various expert
> communities, comments please?
>

Relevant Pages

  • Re: AD requirements for DMZ?
    ... By standards it is a bad idea to have dc's in a dmz even if they are only used for external access. ... Consider creating a 2008 AD and firewall off the RWDC and provide the RODC's themselves unfettered access to the RWDC. ... In our internal lab environment, we have 3 servers setup as Windows NLB. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Using SQL server through a Firewall
    ... In the DMZ we have ... All servers in the DMZ and trusted are multi ... > homed and span both Subnets (bypassing the firewall). ... > WINS and DHCP in the trusted domain. ...
    (microsoft.public.sqlserver.security)
  • RE: Basic Network Configuration
    ... Yes, mail servers, web servers, ftp etc are your DMZ buddies. ... firewall> dmz> firewall> lan layout but physically it does not. ...
    (Security-Basics)
  • Re: Moving servers beind firewall
    ... >> I need to move two servers from outside a firewall to a DMZ. ... >> from both the internet and internal segments. ... I may as well keep those servers outside the ...
    (comp.os.linux.security)
  • Re: Svr-03 and DMZ
    ... If you use the back-to-back firewall model there is an additional firewall between the DMZ and the private LAN. ... The best candidates for a DMZ are servers which need to be accessed routinely from the Internet but only occasionally or never from the LAN. ...
    (microsoft.public.windows.server.networking)