Re: W2K3 domain in DMZ
From: Hairy One Kenobi (abuse_at_[127.0.0.1)
Date: Tue, 15 Jun 2004 09:14:21 +0100
"John Koswalski" <email@example.com> wrote in message
> Yes a single domain DMZ
> I'm thinking about
> Fire Wall
> Public subnet on 1st NIC
> Private subnet on 2nd NIC
> This for all servers that have a need for internet connectivity, the
> would only have the private subnet configured an be used for backups,
> account management etc ... perhaps extra hardend using IPSec, IP filtering
> etc ....
> Main concerns is getting a DMZ that we can centrally manage and backup
> server, from that server to tape)
One thing that you didn't mention is the size of the site/number of servers,
or the sort of services on offer.
If it's relatively small, then you might want to think about NATing them -
this will get you your private network on one NIC, with no exposure of your
inner firewall address (OK, so any cracker worth his salt can sniff it out,
but he'll have to do so without being spotted).
Outbound traffic (again, if this is a fairly small organization) can be
routed directly through the two firewalls (best option: use a different
public connection, e.g the backup to your primary site)
With this sort of scenario, backups and updates are pulled/pushed through
the inner firewall, giving you minimum exposure. Servers are administered by
TS sessions, again through the firewall.
This sort of setup also allows you to add a "tripwire" honeypot server - a
box that looks enticing, but is never used in reality. Something that looks
like an FTP server is probably the easiest thing to set up.
This certainly won't satisfy everyone, but works well in a (emphasis)
relatively small setup. I use this myself, at home. Both connections are
NATted, to different private IP address ranges.
Personally, I prefer a non-domain setup (don't like the prospect of having
all machines compromised by one password, or of having a DNS in the DMZ).
YMMV - and probably will!
http://www.codecutters.org/resources/win2000lockdown.html for a
non-exhaustive list, and targeted towards smaller setups.
-- Hairy One Kenobi Disclaimer: the opinions expressed in this opinion do not necessarily reflect the opinions of the highly-opinionated person expressing the opinion in the first place. So there!