Re: DMZ & Security

news.microsoft.com
Date: 01/21/04


Date: Wed, 21 Jan 2004 17:31:20 +0100

Could you explain some concepts ?

> >1) Is there any differences between the two
> configuration ?
>
> yes, deployement price, security level (depending what
> equipment you are buying), flexibility
>
> >2) Is one of those more secure than the other ?
>
> I think the second one is is much more interressant and
> secure, there two gate instead of one..the second one
> should hold longer to a break in attempt....

Why ?
Ok, two gate instead of one but if two doors are the same key there is not
any differences.
I mean that if packets are to route from internet to LAN they have to pass
through the 2 firewall, then if a port is open on the first, the same port
has to be open on the second, or if someone crack my first firewall and take
its control, then he will able to know that there is another firewall and
its security policies.

>
> >3) Which one to choose ?
>
> in my case I would go for b
>
> >4) Connections from DMZ to LAN are blocked by default; if
> e.g. I have a web
> >server on DMZ that have to access an sqlserver database
> that resides on my
> >LAN what I have to do ?
>
> open ports...
>
> >If I start to open ports and configure filters on my
> firewall I think my
> >network security decreases****yes but anyway you will
> need to have some port opened.. like the port 80 then you
> should think about http filtering also...****, and in this
> case what sense has my DMZ ? you need to look if you
> really need a dmz.. is this for personal use or company ?

it's for company use
open port like 80 ...
but in general how connections are made from DMZ to LAN ?
e.g. : if I have a web server on DMZ that have to access sqlserver database
that resides on a server on LAN, what is the best way to do it without
compromise my network security ?

> (if
> >someone take control of one server on DMZ he could then
> access my lan).> the best way is to have two connection,
> not internally connected

Could you explain what do you mean when you said two connection ?

> >What are the guidelines to follow when I have to access
> internal servers
> >from DMZ ? ...???
> >

look at point 4

> >Thanks,
> >Michele L.

"Benjamin F." <anonymous@discussions.microsoft.com> ha scritto nel messaggio
news:1d5f01c3e034$817a8f40$a601280a@phx.gbl...
> Hi there...
>
> In any case that depends on your budget :))
>
> so see my personnal ideas below
>
> >-----Original Message-----
> >Hi,
> >
> >I read a lot of technical articles about DMZ and security
> in general but I
> >am a little confused about the best configuration.
> >
> >I can implement a DMZ with 2 firewall (a) or 1 firewall
> with a built-in DMZ
> >(b).
> >
> >(a)
> >INTERNET
> >!
> >Firewall ---- DMZ (public servers)
> >!
> >LAN
> >
> >
> >(b)
> >INTERNET
> >!
> >Firewall1
> >!
> >!--------------------- DMZ
> >!
> >Firewall2
> >LAN
> >!
> >
> >My questions are :
> >
> >1) Is there any differences between the two
> configuration ?
>
> yes, deployement price, security level (depending what
> equipment you are buying), flexibility
>
> >2) Is one of those more secure than the other ?
>
> I think the second one is is much more interressant and
> secure, there two gate instead of one..the second one
> should hold longer to a break in attempt....
>
> >3) Which one to choose ?
>
> in my case I would go for b
>
> >4) Connections from DMZ to LAN are blocked by default; if
> e.g. I have a web
> >server on DMZ that have to access an sqlserver database
> that resides on my
> >LAN what I have to do ?
>
> open ports...
>
> >If I start to open ports and configure filters on my
> firewall I think my
> >network security decreases****yes but anyway you will
> need to have some port opened.. like the port 80 then you
> should think about http filtering also...****, and in this
> case what sense has my DMZ ? you need to look if you
> really need a dmz.. is this for personal use or company ?
> (if
> >someone take control of one server on DMZ he could then
> access my lan).> the best way is to have two connection,
> not internally connected
> >What are the guidelines to follow when I have to access
> internal servers
> >from DMZ ? ...???
> >
> >Thanks,
> >Michele L.
> >
> >
> >.
> >



Relevant Pages

  • Re: LISTENING, ESTABLISHED, CLOSE_WAIT TCP Ports & UDP Ports?
    ... properties of a process and it will show you what tcp/ip ports and services ... Beyond that I suggest you read the Windows 2003 Server Security Guide to see ...
    (microsoft.public.windows.server.security)
  • Re: webdav on SBS2003
    ... Traditional FW architecture describes a DMZ, ... DMZ and LAN. ... DMZ is that the entire server isn't exposed in the zone, ... you depend on Windows Security to ...
    (microsoft.public.windows.server.sbs)
  • Re: Source Code to Filter out WindowsMessenger POP-UPS
    ... > time to get the details I did get about the ports and none ... It does not act as a relay server - at least ... To that I will just add that REAL security - ... > port 80 inbound ...
    (microsoft.public.inetserver.iis.security)
  • RE: [fw-wiz] Backup exec agent in dmz
    ... This way you could block these specific ports inbound from the ... mail/antivirus server, a dns server, and a web server. ... I have a windows 2000 server running backup exec version 9 on the primary ... have to set up a separate backup system for the dmz computers. ...
    (Firewall-Wizards)
  • Re: Dropping syn+fin replies, but not really?
    ... Now we're required to run external security scans on some of the hosts, and they constantly come back with a "high" or "medium" severity problem: The host replies to TCP packets with SYN+FIN set. ... Since when did "pound ssl proxy" equal "aladdin web server"? ... You can let tcpdump only show specific ports and source/destination ...
    (FreeBSD-Security)