Re: Host placement and DMZ internal/external questions.

[Micheal Espinola Jr <michealespinola () gmail com>]

In general, any server that acts as a service gateway should not be on
a screened subnet (DMZ).  The reason is that it will require you to
open more ports between multiple subnets, thus increasing your
potential attack vector.

Service gateways are generally best served via port-forwarding.

IMHO, DMZ-based systems should never allow external connections to
reach internal resources.  This methodology is also evident in Cisco
router configuration tools.

HTH

On 10/13/05, Adam T <123security () gmail com> wrote:
> I have a few questions I have about dmz internal and external networks
> that I need help with.
>
> 1 if you have a host such as citrix that must have access to the
> internal network does that sit on your DMZ?
>
> 2 antivirus mail gateway servers / Antivirus update server does that
> sit on your DMZ ?
>
> 3 a squid proxy that internal hosts access
>
> with the examples above do I place the hosts on the DMZ and then
> modify firewall rules so that the host has the access they need to
> perform as an internal network host? if so how is that different than
> opening up a specific port directed to a specific host on internal
> network for outside world access?
>
> part of my confusion lies in that when I think DMZ I think that the
> host should never touch the internal network and be left out in the
> DMZ alone.
>
> I hope I have stated my questions clearly
> thank you for your responses.
>
> /at


--
ME2  <http://www.santeriasys.net/>