Re: Philosophy of DMZ

["Kowal, Michael" <KowalM () WPUNJ EDU>]

What is the optimal/most secure solution for servers that need to access
Active Directory internally and/or a backup application? Is it just to
put these servers in the DMZ and open the TCP ports?

Are there other reasons that having these servers in your internal
network that are bad besides that fact that hacking one of these servers
puts you right into the internal network?

I'd like to build a bigger case against placing these servers internally
because they need to access AD.

Thanks,
Michael Kowal
-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mills, Michael
Sent: Wednesday, April 20, 2005 9:46 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Philosophy of DMZ

The challenge in an educational environment with web servers and being
in the DMZ is that at times teaching departments need access to those
servers to update web pages or offer live web servers for teaching.
This causes a problem if you are using integrated (Active Directory,
LDAP, Radius) authentication to your back end user databases, as you
have to open "non-friendly" TCP and UDP ports from the DMZ to your
internal network, thereby eliminating the true function of a DMZ.

There are several ways to solve this problem, but leaving those web
servers on your internal network (unless there is no external access) is
a very bad solution.

Feel free to contact me with any specific problems and I will do my best
to answer your questions.





Thanks,

Michael Mills
mmills () rkon com


Practice Group Leader

RKON Technologies

Cell    630-854-4343

www.rkon.com




-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ron Parker
Sent: Tuesday, April 19, 2005 5:49 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Philosophy of DMZ

Yep, isn't this the idea of a "DMZ"? It is the place where we put things
that need access from both directions. I'll admit that things can get a
little fuzzy from time to time but in the classical sense, as I
understand
it, the DMZ ties the internal and external network services together.
Some
people may actually put servers "outside" the firewall in danger land
but
I think most of us these days probably work with a DMZ where our
external
facing servers live. In our case, our DMZ is just one arm of our
firewall
so it is "inside" the firewall. To use the DMZ to mount an attack, an
attacker would traverse the firewall to the DMZ and then have to go from
the DMZ server back through the firewall to get to the internal servers.
It's not perfect but it's what we can afford.

So, I don't know that you really give up anything by having a server in
your DMZ, as I've described it. You can still build firewall policies
around it to protect it and your internal services. Perhaps I've
misunderstood your situation.

--
Ron Parker, Director of Information Technology, Brazosport College
Voice: (979) 230-3480             FAX: (979) 230-3111
http://www.brazosport.edu


On Tue, 19 Apr 2005, Michael J. Benedetto wrote:

> Jake:
>
> Why not move the "internal" server to a DMZ and write the firewall
rules so
> that both internal and external users can reach that system?
>
> -Mike
>
> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob
> Sent: Tuesday, April 19, 2005 5:31 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Philosophy of DMZ
>
> I've run into a situation where a solution we are implementing
requires
> a web server to be on our inside network but needs to be accessed
> externally.  This is happening much more frequently than I would like.
> We're doing some long-term planning and my office would like some
> feedback from other institutions.
>
> If I'm going to have to keep adding servers that can be accessed
> directly, is there still reason to have a DMZ? My understanding of
> having a DMZ, is to not allow public external access to internal
servers
> and all requests to internal servers should be answered by a
> proxy/reverse proxy server.  Am I just an idealist?
>
> Can anyone share experiences with proxying?  Anyone ever scrap their
> DMZ?  Any policies that you can share on external access to internal
web
> servers?
>
> Jake Barros
> Grace College
>
> **********
> Participation and subscription information for this EDUCAUSE
Discussion
> Group discussion list can be found at http://www.educause.edu/groups/.
>
> **********
> Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/groups/.
>

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
system manager. This message contains confidential information and is
intended only for the individual named. If you are not the named
addressee you should not disseminate, distribute or copy this e-mail.
**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.