Educause Security Discussion mailing list archives
Re: Philosophy of DMZ
From: "Kowal, Michael" <KowalM () WPUNJ EDU>
Date: Wed, 20 Apr 2005 10:39:11 -0400
What is the optimal/most secure solution for servers that need to access Active Directory internally and/or a backup application? Is it just to put these servers in the DMZ and open the TCP ports? Are there other reasons that having these servers in your internal network that are bad besides that fact that hacking one of these servers puts you right into the internal network? I'd like to build a bigger case against placing these servers internally because they need to access AD. Thanks, Michael Kowal -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mills, Michael Sent: Wednesday, April 20, 2005 9:46 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Philosophy of DMZ The challenge in an educational environment with web servers and being in the DMZ is that at times teaching departments need access to those servers to update web pages or offer live web servers for teaching. This causes a problem if you are using integrated (Active Directory, LDAP, Radius) authentication to your back end user databases, as you have to open "non-friendly" TCP and UDP ports from the DMZ to your internal network, thereby eliminating the true function of a DMZ. There are several ways to solve this problem, but leaving those web servers on your internal network (unless there is no external access) is a very bad solution. Feel free to contact me with any specific problems and I will do my best to answer your questions. Thanks, Michael Mills mmills () rkon com Practice Group Leader RKON Technologies Cell 630-854-4343 www.rkon.com -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ron Parker Sent: Tuesday, April 19, 2005 5:49 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Philosophy of DMZ Yep, isn't this the idea of a "DMZ"? It is the place where we put things that need access from both directions. I'll admit that things can get a little fuzzy from time to time but in the classical sense, as I understand it, the DMZ ties the internal and external network services together. Some people may actually put servers "outside" the firewall in danger land but I think most of us these days probably work with a DMZ where our external facing servers live. In our case, our DMZ is just one arm of our firewall so it is "inside" the firewall. To use the DMZ to mount an attack, an attacker would traverse the firewall to the DMZ and then have to go from the DMZ server back through the firewall to get to the internal servers. It's not perfect but it's what we can afford. So, I don't know that you really give up anything by having a server in your DMZ, as I've described it. You can still build firewall policies around it to protect it and your internal services. Perhaps I've misunderstood your situation. -- Ron Parker, Director of Information Technology, Brazosport College Voice: (979) 230-3480 FAX: (979) 230-3111 http://www.brazosport.edu On Tue, 19 Apr 2005, Michael J. Benedetto wrote:
Jake: Why not move the "internal" server to a DMZ and write the firewall
rules so
that both internal and external users can reach that system? -Mike -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob Sent: Tuesday, April 19, 2005 5:31 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Philosophy of DMZ I've run into a situation where a solution we are implementing
requires
a web server to be on our inside network but needs to be accessed externally. This is happening much more frequently than I would like. We're doing some long-term planning and my office would like some feedback from other institutions. If I'm going to have to keep adding servers that can be accessed directly, is there still reason to have a DMZ? My understanding of having a DMZ, is to not allow public external access to internal
servers
and all requests to internal servers should be answered by a proxy/reverse proxy server. Am I just an idealist? Can anyone share experiences with proxying? Anyone ever scrap their DMZ? Any policies that you can share on external access to internal
web
servers? Jake Barros Grace College ********** Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Philosophy of DMZ Barros, Jacob (Apr 19)
- <Possible follow-ups>
- Re: Philosophy of DMZ Steven Osit (Apr 19)
- Re: Philosophy of DMZ Michael J. Benedetto (Apr 19)
- Re: Philosophy of DMZ Scholz, Greg (Apr 19)
- Re: Philosophy of DMZ Barros, Jacob (Apr 19)
- Re: Philosophy of DMZ Ron Parker (Apr 19)
- Re: Philosophy of DMZ Mills, Michael (Apr 20)
- Re: Philosophy of DMZ Davis, Thomas R. (Apr 20)
- Re: Philosophy of DMZ Daniel Adinolfi (Apr 20)
- Re: Philosophy of DMZ Scholz, Greg (Apr 20)
- Re: Philosophy of DMZ Kowal, Michael (Apr 20)
- Re: Philosophy of DMZ Herrera Reyna Omar (Apr 20)
- Re: Philosophy of DMZ Cal Frye (Apr 20)