Re: Help with security design documentation

??? Not sure if you are quoting me with "we have a private network
that we run a public server on, and a DMZ with nothing on it, and a public
network to talk to the empty DMZ". I did not state that anywhere in my
In further investigation, my IPSEC traffic is at about 21Mb/s connectivity
between my two servers. I am connected 100Mb/s full duplex at the webserver
to the Cisco871 and it in turn is connected 100Mb/s full duplex to a Linksys
managed 10/100 switch with 1000Mb/s port for DC server connectivity. I am
getting a 3COM 10/100 secure NIC that is supposed to take the load off of my
PIII for the IPSEC load to help speed that 21Mb/s up. But my main question
still applies of needing some documentation on why setting up the webserver
on it's own dmz is the more secure option.

"Byron Hynes [MS]" wrote:

If you believe that having a three networks (DMZ, public, private) reduces
your security risk, then it's obviously silly to say "we have a private network
that we run a public server on, and a DMZ with nothing on it, and a public
network to talk to the empty DMZ". If you have bothered to classify your
networks, than obviously, you should classify the applications for the appropriate
networks as well.

Personally, I think that in most small business and home-office networks,
one problerly configureed firewall/router is more effective than three separate
networks anyhow; but that's just me.

Your app has a performance issue. Unless you have have hundreds of thousands
of hits per day, IPSec is not the problem.

Personally, I wouldn't run an application (let alone a publicly accessible
web app) on a Domain Controller; but that's just me.

Byron Hynes
Windows Server
Microsoft Corporation

Hello all, I have a small network consisting of two Windows 2003
servers. One
is a DC and houses my accounting application. The other is a
(member server) I have on it's own DMZ (Cisco 871 router). I have the
traditional rules defined for access from private to dmz, dmz to
private, dmz
to public, and public to dmz (the two servers talk to each other via
excrypted tunnel...application used windows' authentication instead of
opening a tcp port or two). The problem is performance of the
application of
the web-server accessing data from the main accounting server (again
the only
DC). It works, it's just slow. The application provider want to move
web-server and web application over to the private dc server. I have
discussed with a CISSIP that tells me that that's a no no. I am
needing hard
facts ie... Microsoft or other official documentation stating reasons
Your assistance is appreciated.