Re: Gurus: server on perimeter vs. corporate advice
From: Derek Newton (DerekNewton_at_discussions.microsoft.com)
Date: 08/17/05
- Previous message: Karl Levinson, mvp: "Re: Gurus: server on perimeter vs. corporate advice"
- In reply to: Karl Levinson, mvp: "Re: Gurus: server on perimeter vs. corporate advice"
- Next in thread: Derek Newton: "RE: Gurus: server on perimeter vs. corporate advice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Aug 2005 05:33:18 -0700
Unfortunatly, with something like SharePoint Portal Server (or anything else
that requires any sort of backend) you usually end up creating rules on the
firewall which will allow traffic to flow from the DMZ to the Internal
network and thus negating the security of having a server in the DMZ.
If this was a stand-alone server that did not require access to any services
within your internal network then placing it on the DMZ *would* provide an
additional layer of security.
Derek
"Karl Levinson, mvp" wrote:
>
> "Marlon Brown" <nospamarlon@hotmail.com> wrote in message
> news:urpstWmoFHA.3996@TK2MSFTNGP12.phx.gbl...
> > Thanks ! How about this statement:
> > But if you put the Sharepoint in the "DMZ", you would need to open various
> > ports to allow communication from the DMZ to the Internal network (I think
> > Sharepoint like OWA, does require ports other than 443 or 80 for
> > communications).
> > When you "open" such ports for a server that resides in the DMZ, aren't
> you
> > also exposing important information from your internal network ?
> > At least that's the idea that I have heard from some Exchange people. If
> you
> > put the OWA box in the "DMZ", they told me, you need to open a bunch of
> > ports (Kerberos, 3289, etc) to allow communication with the internal
> > network. At that point, I thought it was when it would make sense keep the
> > server in the internal network ?
>
> If you keep it on the internal network, once that server is compromised,
> your internal network is compromised, and there is absolutely no restriction
> on what that server can touch on that network, and little monitoring or
> detection of what it tries to touch.
>
> If you put it in a DMZ, you may have to open a few ports in one direction or
> the other. But you can open them one way, from internal to DMZ, so that DMZ
> has less opportunity to get into your internal network directly, or
> additional servers have to also be hacked to get there. You can also put a
> domain controller into the DMZ so that Internet attackers talk to the
> sharepoint server, and your internal network talks with the domain
> controller, but attackers on your mail server cannot directly get to the
> Internal network. You could also put a proxying firewall such as ISA server
> in betwen the DMZ to examine and control what a person in the DMZ can do
> outside the DMZ and vice versa.
>
> The argument against opening up windows networking through a firewall is
> usually "but it will turn your firewall into swiss cheese." So then the
> solution then is to remove the firewall altogether? And that's better?
>
> But why re-invent the wheel? Microsoft no doubt has security best practice
> papers for sharepoint on their web site at
> www.microsoft.com/technet/security I'm pretty sure those best practices
> papers will suggest a DMZ as being more secure than no DMZ.
>
>
>
- Previous message: Karl Levinson, mvp: "Re: Gurus: server on perimeter vs. corporate advice"
- In reply to: Karl Levinson, mvp: "Re: Gurus: server on perimeter vs. corporate advice"
- Next in thread: Derek Newton: "RE: Gurus: server on perimeter vs. corporate advice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
