Re: W2K3 domain in DMZ

From: Hairy One Kenobi (abuse_at_[127.0.0.1)
Date: 06/15/04

  • Next message: S. Pidgorny : "Re: W2K3 domain in DMZ"
    Date: Tue, 15 Jun 2004 09:14:21 +0100
    
    

    "John Koswalski" <john.koswalski@perfectitsolutions.nl> wrote in message
    news:%23uu1mS%23TEHA.3988@TK2MSFTNGP10.phx.gbl...
    > Yes a single domain DMZ
    >
    > I'm thinking about
    >
    > Fire Wall
    >
    > Public subnet on 1st NIC
    > Private subnet on 2nd NIC
    >
    > This for all servers that have a need for internet connectivity, the
    others
    > would only have the private subnet configured an be used for backups,
    > account management etc ... perhaps extra hardend using IPSec, IP filtering
    > etc ....
    >
    > Main concerns is getting a DMZ that we can centrally manage and backup
    (one
    > server, from that server to tape)

    One thing that you didn't mention is the size of the site/number of servers,
    or the sort of services on offer.

    If it's relatively small, then you might want to think about NATing them -
    this will get you your private network on one NIC, with no exposure of your
    inner firewall address (OK, so any cracker worth his salt can sniff it out,
    but he'll have to do so without being spotted).

    Outbound traffic (again, if this is a fairly small organization) can be
    routed directly through the two firewalls (best option: use a different
    public connection, e.g the backup to your primary site)

    With this sort of scenario, backups and updates are pulled/pushed through
    the inner firewall, giving you minimum exposure. Servers are administered by
    TS sessions, again through the firewall.

    This sort of setup also allows you to add a "tripwire" honeypot server - a
    box that looks enticing, but is never used in reality. Something that looks
    like an FTP server is probably the easiest thing to set up.

    This certainly won't satisfy everyone, but works well in a (emphasis)
    relatively small setup. I use this myself, at home. Both connections are
    NATted, to different private IP address ranges.

    Personally, I prefer a non-domain setup (don't like the prospect of having
    all machines compromised by one password, or of having a DNS in the DMZ).
    YMMV - and probably will!

    http://www.codecutters.org/resources/win2000lockdown.html for a
    non-exhaustive list, and targeted towards smaller setups.

    -- 
    Hairy One Kenobi
    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
    

  • Next message: S. Pidgorny : "Re: W2K3 domain in DMZ"

    Relevant Pages

    • Re: 2 IP adresses but only one to register
      ... > The routed subnet and the private unrouted subnet are on the same physical ... > private unrouted IP address but have to use a server share. ... >> If you are doing this to keep them from accessing anything but the RAS ...
      (microsoft.public.windows.server.dns)
    • Re: Help with security design documentation
      ... Not sure if you are quoting me with "we have a private network ... network to talk to the empty DMZ". ... managed 10/100 switch with 1000Mb/s port for DC server connectivity. ...
      (microsoft.public.security)
    • Re: [fw-wiz] Internet accessible screened subnet - use public or private IPs?
      ... Presently we use a private IP address range for this that is ... > public IPs in the DMZ? ... public stuff should be on its own physical subnet. ... Paul D. Robertson "My statements in this message are personal opinions ...
      (Firewall-Wizards)
    • Re: Help with security design documentation
      ... Google for Steve Riley's "Death of the DMZ" ... Protect your Windows Network by Riley and Johannson ... port for DC server connectivity. ... have a private network that we run a public server on, ...
      (microsoft.public.security)
    • Re: Routing over two interfaces
      ... Can you post the ipconfig/all from the server please? ... While there was only one outgoing route at any given time, ... > want the default outgoing route to be on a public subnet, ... > incoming traffic on the private subnet succeed. ...
      (microsoft.public.windows.server.sbs)