Security Basics mailing list archives
RE: Access from DMZ Was: AD in the DMZ . . . OK?
From: "Depp, Dennis M." <deppdm () ornl gov>
Date: Mon, 02 Aug 2004 13:43:29 -0400
This statement I can agree with. We need to recognize there are exceptions but in this case, there are better ways to achieve the goal. Dennis -----Original Message----- From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net] Sent: Monday, August 02, 2004 11:24 AM To: security-basics () securityfocus com Subject: Re: Access from DMZ Was: AD in the DMZ . . . OK? On 2004-08-02 Depp, Dennis M. wrote:
On 2004-07-30 Ansgar -59cobalt- Wiechers wrote:If I'm reading you correctly that would still require access from the DMZ to the DC, thus still violating the DMZ. No host in the DMZ should ever be able to access any service inside the internal network.I've often wondered if this is really possible. In today's environment, we have to provide some access to our internal networks either from the DMZ or from the internet. (VPN for example.) Is it possible to continue to stay with this phillosophy and still not have direct Internet connections into you secure network (even VPN connections).
I would say that VPNs can be considered a special case since hosts connected through a VPN are actually part of the internal network. There *may* be reasons to violate a DMZ, however, these reasons should be very well evaluated and I fail to see that simplified user management for a web application should be reason enough. Regards Ansgar Wiechers -- "Those who would give up liberty for a little temporary safety deserve neither liberty nor safety, and will lose both." --Benjamin Franklin ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Access from DMZ Was: AD in the DMZ . . . OK? Depp, Dennis M. (Aug 02)
- Re: Access from DMZ Was: AD in the DMZ . . . OK? Ansgar -59cobalt- Wiechers (Aug 02)
- <Possible follow-ups>
- RE: Access from DMZ Was: AD in the DMZ . . . OK? Depp, Dennis M. (Aug 03)