Security Basics mailing list archives
Re: Extending the DMZ
From: "Gleb Paharenko" <gpaharenko () gmail com>
Date: Fri, 17 Oct 2008 22:56:35 +0400
Hi. This is actually a bad idea. Though a lot of companies do so You should perform at least brief risk assessment. Find out how much does it cost to make it in a right way (say by buying yet another server). Analyse how server is secure. Compare potential risk with price of the "right way". If you're still going to publish it in the internet. Harden it enough, perform a good vulnerability assessment, develop updating and patching policy, so it is always up2date. Install in front of IPS and application firewall. Add more monitoring on events of this server. When you can not bypass risk, it is always possible add controls to reduce probability and impact. 2008/10/15 CORP John Porter <jporter () rsac com>:
We have an ASA with a separate interface for the DMZ. Connected to that interface is a layer 2 switch, and then the DMZ servers. The Windows guys, working with Application development, have created a new server, in a blade center. The blade center has a layer 3 switch built in, which is connected to our core switch with a 4 port Etherchannel. Now they want the server they built made available on the internet. I have told them that the server must be moved to the DMZ, but they are reluctant to do that because they already built it on an internal Blade Server. They want me to create a VLAN on the layer 3 switch and connect 1 port from the layer 3 switch to the layer 2 DMZ switch, so the server will be available on the DMZ. This seems like a very bad idea to me: - Someone can mis-configure the server and end up with it acting as a router to pass traffic between the DMZ and inside network - The layer 3 switch is going to route traffic between the new VLAN and the inside network - Even if I manage to lock things down so that it works, there may be other problems/exploits that make this a bad idea. Am I just being paranoid, or is this definitely a bad idea?
-- Best regards. Gleb Pakharenko. http://gpaharenko.livejournal.com http://www.linkedin.com/in/gpaharenko
Current thread:
- Extending the DMZ CORP John Porter (Oct 16)
- RE: Extending the DMZ Prodigi Child (Oct 16)
- Re: Extending the DMZ Michael Condon (Oct 16)
- RE: Extending the DMZ David Gillett (Oct 17)
- Re: Extending the DMZ Gleb Paharenko (Oct 17)