Re: Help with security design documentation



If you believe that having a three networks (DMZ, public, private) reduces your security risk, then it's obviously silly to say "we have a private network that we run a public server on, and a DMZ with nothing on it, and a public network to talk to the empty DMZ". If you have bothered to classify your networks, than obviously, you should classify the applications for the appropriate networks as well.

Personally, I think that in most small business and home-office networks, one problerly configureed firewall/router is more effective than three separate networks anyhow; but that's just me.

Your app has a performance issue. Unless you have have hundreds of thousands of hits per day, IPSec is not the problem.

Personally, I wouldn't run an application (let alone a publicly accessible web app) on a Domain Controller; but that's just me.

Byron Hynes
Windows Server
Microsoft Corporation

http://spaces.msn.com/members/byronphynes

Hello all, I have a small network consisting of two Windows 2003
servers. One
is a DC and houses my accounting application. The other is a
web-server
(member server) I have on it's own DMZ (Cisco 871 router). I have the
traditional rules defined for access from private to dmz, dmz to
private, dmz
to public, and public to dmz (the two servers talk to each other via
IPSEC
excrypted tunnel...application used windows' authentication instead of
opening a tcp port or two). The problem is performance of the
application of
the web-server accessing data from the main accounting server (again
the only
DC). It works, it's just slow. The application provider want to move
the
web-server and web application over to the private dc server. I have
discussed with a CISSIP that tells me that that's a no no. I am
needing hard
facts ie... Microsoft or other official documentation stating reasons
why.
Your assistance is appreciated.
Thanks.


.