Comments? - DMZ and Domain Security

From: Alan Morris (alan_at_address.withheld.com)
Date: 07/25/04

• Next message: Kenny Wood: "RE: Virus Question - d3dnea.dll"
• Previous message: Lanwench [MVP - Exchange]: "Re: fax on xp pro in the domain"
• Next in thread: Tim Springston [MSFT]: "Re: Comments? - DMZ and Domain Security"
• Reply: Tim Springston [MSFT]: "Re: Comments? - DMZ and Domain Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 25 Jul 2004 16:49:03 +0100

Cross posted from ms.public.security:

I am interested to hear anyone's comment on the following:

Organisation has internal LAN and an Extranet with Web and mail
servers located in a DMZ. The firewall is a Cisco device.

At present both the DMZ and the LAN are separate domains, which means
that staff often have to be registered to both domains. This linked
with password complexitiy/expiry policy creates much confusion.

So we are considering opening a hole in the firewall between the dmz
and the inside to allow us to set up a one way trust relationship
between the two domains, with the DMZ domain trusting the LAN domain

In this way staff will only be registered on the inside whilst trusted
3rd parties would only be registered on the DMZ.

Now I know in theory that his ought to be secure (there is no outside
access), but supposing that the dmz got compromised in some unforseen
way, what is the potential for this to provide a staging post to
compromising the inside. Is this risk more or less than having the two
completely isolated domains?

I know there are no definitive answers to this question but I would
warmly welcome hearing the views of anyone prepared to share them.

Many thanks,

• Next message: Kenny Wood: "RE: Virus Question - d3dnea.dll"
• Previous message: Lanwench [MVP - Exchange]: "Re: fax on xp pro in the domain"
• Next in thread: Tim Springston [MSFT]: "Re: Comments? - DMZ and Domain Security"
• Reply: Tim Springston [MSFT]: "Re: Comments? - DMZ and Domain Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Firewall and DMZ topology ... attacker cannot spread his influence across the network. ... If the DMZ resides between the public Internet and the ... Should the DMZ be behind the LAN and not split off at the firewall, ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ... (Security-Basics) Re: Web portal security ... win2003 standard server with IIS, SSL enabled and will be placed on ... So I will be fwding port 443 in firewall to my DMZ port. ... Well, assuming you are going to use teh SQL database from SBS, you can ... subnet than my LAN and map one to one from firewall to dmz. ... (microsoft.public.windows.server.sbs) Re: general question on design options ... Behind that I have my ISA, ... How do you get the VPN connections that terminate on the Cisco to get past ... DMZ and not the LAN. ... (microsoft.public.isa) Re: Where to put the server ... Put the 2003 IIS Server in the DMZ. ... SBS box or another LAN server. ... (microsoft.public.backoffice.smallbiz2000) iptable puzzle about DHCP + LAN + DMZ routing ... * Apache setup on the DMZ machine to serve web pages ... * The LAN machines should have access to the web through the firewall, ... Forwards packets from LAN to INET with masquerading ... but not the other way around, it also allows web access from the LAN ... (comp.os.linux.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint