RE: Patching/ AV on the DMZ

["TVB NOC" <tvbnoc () temeculavalleybank com>]

One remedy is placing a VM with WUS on the DMZ and restricting access,
thus only allowing access from the Windows Update Servers to that DMZ VM
Host. In addition, you can then have the internal WUS pull updates
directly from the DMZ host machine isolating ports and Ip addresses to
only allow the internal WUS server communication to the DMZ Host. 

One reason for doing this is that if the DMZ server is compromised it
still adds a layer of security to your internal network. In addition, if
the internal WUS is compromised it's pretty evident where you got
attacked from.

Hope this helps... Sorry for the grammatical mistakes too.. :)

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of fac51 () yahoo com
Sent: Monday, October 08, 2007 3:59 AM
To: security-basics () securityfocus com
Subject: Patching/ AV on the DMZ

I would like to know what the risks are of retriving patches over the
internet rather that sneakernet. Currently all patch and AV updates are
completed by us in the old fashioned way. I would like to open those DMZ
hosts to our internal WSUS.
Am I asking for a world of hurt?

Thanks in advance.

S