Security Basics mailing list archives
Re: Host placement and DMZ internal/external questions.
From: Micheal Espinola Jr <michealespinola () gmail com>
Date: Mon, 17 Oct 2005 10:20:31 -0400
In general, any server that acts as a service gateway should not be on a screened subnet (DMZ). The reason is that it will require you to open more ports between multiple subnets, thus increasing your potential attack vector. Service gateways are generally best served via port-forwarding. IMHO, DMZ-based systems should never allow external connections to reach internal resources. This methodology is also evident in Cisco router configuration tools. HTH On 10/13/05, Adam T <123security () gmail com> wrote:
I have a few questions I have about dmz internal and external networks that I need help with. 1 if you have a host such as citrix that must have access to the internal network does that sit on your DMZ? 2 antivirus mail gateway servers / Antivirus update server does that sit on your DMZ ? 3 a squid proxy that internal hosts access with the examples above do I place the hosts on the DMZ and then modify firewall rules so that the host has the access they need to perform as an internal network host? if so how is that different than opening up a specific port directed to a specific host on internal network for outside world access? part of my confusion lies in that when I think DMZ I think that the host should never touch the internal network and be left out in the DMZ alone. I hope I have stated my questions clearly thank you for your responses. /at
-- ME2 <http://www.santeriasys.net/>
Current thread:
- Host placement and DMZ internal/external questions. Adam T (Oct 14)
- Re: Host placement and DMZ internal/external questions. Micheal Espinola Jr (Oct 18)
- Re: Host placement and DMZ internal/external questions. phunked up! (Oct 18)
- Re: Host placement and DMZ internal/external questions. Devdas Bhagat (Oct 21)
- <Possible follow-ups>
- RE: Host placement and DMZ internal/external questions. amitk (Oct 18)