Re: Help with security design documentation



??? Not sure if you are quoting me with "we have a private network
that we run a public server on, and a DMZ with nothing on it, and a public
network to talk to the empty DMZ". I did not state that anywhere in my
scenario.
In further investigation, my IPSEC traffic is at about 21Mb/s connectivity
between my two servers. I am connected 100Mb/s full duplex at the webserver
to the Cisco871 and it in turn is connected 100Mb/s full duplex to a Linksys
managed 10/100 switch with 1000Mb/s port for DC server connectivity. I am
getting a 3COM 10/100 secure NIC that is supposed to take the load off of my
PIII for the IPSEC load to help speed that 21Mb/s up. But my main question
still applies of needing some documentation on why setting up the webserver
on it's own dmz is the more secure option.


"Byron Hynes [MS]" wrote:

If you believe that having a three networks (DMZ, public, private) reduces
your security risk, then it's obviously silly to say "we have a private network
that we run a public server on, and a DMZ with nothing on it, and a public
network to talk to the empty DMZ". If you have bothered to classify your
networks, than obviously, you should classify the applications for the appropriate
networks as well.

Personally, I think that in most small business and home-office networks,
one problerly configureed firewall/router is more effective than three separate
networks anyhow; but that's just me.

Your app has a performance issue. Unless you have have hundreds of thousands
of hits per day, IPSec is not the problem.

Personally, I wouldn't run an application (let alone a publicly accessible
web app) on a Domain Controller; but that's just me.

Byron Hynes
Windows Server
Microsoft Corporation

http://spaces.msn.com/members/byronphynes

Hello all, I have a small network consisting of two Windows 2003
servers. One
is a DC and houses my accounting application. The other is a
web-server
(member server) I have on it's own DMZ (Cisco 871 router). I have the
traditional rules defined for access from private to dmz, dmz to
private, dmz
to public, and public to dmz (the two servers talk to each other via
IPSEC
excrypted tunnel...application used windows' authentication instead of
opening a tcp port or two). The problem is performance of the
application of
the web-server accessing data from the main accounting server (again
the only
DC). It works, it's just slow. The application provider want to move
the
web-server and web application over to the private dc server. I have
discussed with a CISSIP that tells me that that's a no no. I am
needing hard
facts ie... Microsoft or other official documentation stating reasons
why.
Your assistance is appreciated.
Thanks.



.



Relevant Pages

  • Linux, New Corporate Network, Cisco Routers, T1 Ethernet Handoff, DMZ...
    ... I am setting up a network for a company that I am part owner of. ... internet go into my Cisco 2621 router that has 3 10/100Mbs FE interfaces. ... the same switch creating the "sandwich" DMZ setup with the public devices in ... PBX server that uses a straight VoIP connection all the way to our service ...
    (comp.os.linux.networking)
  • New Corporate Network, Cisco Routers, T1 Ethernet Handoff, DMZ...
    ... I am setting up a network for a company that I am part owner of. ... internet go into my Cisco 2621 router that has 3 10/100Mbs FE interfaces. ... the same switch creating the "sandwich" DMZ setup with the public devices in ... PBX server that uses a straight VoIP connection all the way to our service ...
    (comp.security.firewalls)
  • Re: Is Remote Desktop Web Connection secure?
    ... 80 or 443 to an IIS Server. ... I'd opt for the SSL VPN in DMZ Option, i.e. using AEP Networks NSP or Citrix ... open up your internal network directly to the internet is just asking ...
    (microsoft.public.windows.terminal_services)
  • Re: SBS2000 and a DMZ
    ... This network is my HOME network that I use as a test bed to learn things ... the systems in the DMZ are my sons desk tops and laptops. ... but could not get CDDB(an internet service that is used to identify music ... The W2K3 server is a recent addition and wanted it for storage of the boys ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: W2K3 domain in DMZ
    ... > Yes a single domain DMZ ... > Private subnet on 2nd NIC ... > server, ...
    (microsoft.public.windows.server.security)