Security Basics mailing list archives
Re: DMZ - Question
From: "Daniel Anderson" <dtndan () gmail com>
Date: Fri, 26 Oct 2007 16:16:08 -0500
On the DMZ we will have a Web Server that needs access back to the Mainframe on the LAN, and a Mail server that need access to another mail server on the LAN.Bad idea. You don't want hosts in the DMZ to be able to establish connections into the LAN. That would be breaking the concept of a DMZ (allow connections from a network with higher security level to a network with lower security level, but not vice versa). There are several ways to deal with this problem, e.g. replicate the information from the servers into the DMZ, use bastion hosts, or put the servers from the LAN into a second DMZ.
Don't take general rules too far. You don't want connections from the outside connecting directly to systems on the inside at all. Specific systems in the DMZ accessing specific systems/services on the LAN is normal and acceptable. Trying too hard to stick to this general rule usually results in worse systems (replication impacting integrity, additional complexity impacting availability, etc). These DMZ systems should be minimized and hardened so in effect they are the bastion host. In some environments you would want additional segmentation on the LAN, but it's probably not realistic or a good idea to move your mainframe into a DMZ. PIXs do stateful inspection.
The web server needs to have access to a mainframe. How would you
increase security if not with a DMZ? You can do this well with one PIX - If I were you and had 2 PIX's I'd use the other one for redundancy. Internet Router --> PIX <--> WAN/LAN router. <---> LAN <---MainFrame | DMZ | Web Server You can put Inet -> DMZ and DMZ -> LAN ACL's on the PIX - Logically doing what you were doing with the two PIXs There could be some value in sticking with 2 firewalls if they were different vendors/technologies, but again, you need to be careful here too. If your firewall admins are good at PIX and you throw something they don't know into the mix you could easily be worse off. As far as the NAT goes - I think generally you NAT/PAT to the outside from the inside or the DMZ and "no NAT" between the inside and DMZ/DMZ and inside so that is just routing.
Current thread:
- DMZ - Question hol64 (Oct 26)
- Re: DMZ - Question Ansgar -59cobalt- Wiechers (Oct 26)
- Re: DMZ - Question Daniel Anderson (Oct 29)
- Re: DMZ - Question Ansgar -59cobalt- Wiechers (Oct 29)
- Message not available
- Message not available
- Re: DMZ - Question kevin fielder (Oct 31)
- Re: DMZ - Question Daniel Anderson (Oct 29)
- Re: DMZ - Question Ansgar -59cobalt- Wiechers (Oct 26)
- <Possible follow-ups>
- Re: Re: DMZ - Question hol64 (Oct 26)
- Re: DMZ - Question Ansgar -59cobalt- Wiechers (Oct 29)