Security Basics mailing list archives
RE: Question about dmz security
From: "Garbrecht, Frederick" <FGarbrecht () ecogchair org>
Date: Sat, 15 Feb 2003 15:50:10 -0500
I went through this problem with our network as well. You are correct that this arrangement represents a security risk. Since you are dual homed into both your dmz and internal network, you have effectively negated the value of having segregated vlans. If your dmz server is compromised with an ftp exploit, then the attacker has a clear shot into your protected network over the other nic. The true degree of risk depends on your exact architecture and the rules you have implemented on your firewall. If you have only one way into the dmz from your internal network (that being through the firewall), you have a much less complex task of making sure that a compromise of your dmz server does not lead to compromise of your entire network. The type of architecture you describe is sometimes set up and justified in Windows networks to simplify Windows networking; when you segregate your vlans appropriately to ensure security, you start to run into problems with Windows name resolution and any rpc dependent applications you may be running. What is often overlooked however, is that a secure installation requires that these services be severely restricted anyway or turned off altogether in a bastion host residing on a dmz. So, you ARE corrcct; you'll likely need to do a careful analysis of the services running and any cross-vlan interdependencies, and then you can rationally plan to get rid of the unneccessary nic. Good luck. Fred -----Original Message----- From: Jennifer Fountain To: security-basics () securityfocus com Sent: 2/14/03 2:42 PM Subject: Question about dmz security I need an opinion on a current design implementation in place. We have an ftp server sitting in our dmz. This box has two nics - one is plugged into the dmz hub and one is plugged into our network. I think this is a security risk and we should just allow internal users access to the box via the firewall by opening the port instead of having dual nics. they do not see a security risk. maybe i am just too new at this and need some education. what is the "best" way to implement this configuration? Thank you Jenn Fountain
Current thread:
- RE: Question about dmz security, (continued)
- RE: Question about dmz security Burton M. Strauss III (Feb 17)
- Re: Question about dmz security Chuck Swiger (Feb 17)
- Re: Question about dmz security mlh (Feb 18)
- Re: Question about dmz security Chuck Swiger (Feb 19)
- Re: Question about dmz security mlh (Feb 18)
- RE: Question about dmz security David Gillett (Feb 19)
- Re: Question about dmz security Chris Berry (Feb 17)
- Question about dmz security John Tolmachoff (Feb 17)
- RE: Question about dmz security Daniel R. Miessler (Feb 18)
- RE: Question about dmz security Jeremy Gaddis (Feb 20)
- RE: Question about dmz security Daniel R. Miessler (Feb 18)
- Re: Question about dmz security abretten (Feb 17)
- RE: Question about dmz security Garbrecht, Frederick (Feb 17)
- RE: Question about dmz security Marc Suttle (Feb 17)