RE: Question about dmz security

["Peter Hamilton" <peter () rtfm co nz>]

Goodness. I'm no security guru, just a humble engineer, but when you
described the scenario you're running, my hairs stood on end. I would never
allow a host in a DMZ to have direct access to the production network. All
you need is the FTP server to be compromised and *boof* you've practically
laid out the welcome mat to a hacker. If that's all this box does is FTP,
then I'd recommend rules on your firewall to just let FTP to this host
through the firewall.

Cheers,
Peter Hamilton

-----Original Message-----
From: Jennifer Fountain [mailto:JFountain () rbinc com]
Sent: Saturday, 15 February 2003 08:42 a.m.
To: security-basics () securityfocus com
Subject: Question about dmz security



I need an opinion on a current design implementation in place.  We have
an ftp server sitting in our dmz.  This box has two nics - one is
plugged into the dmz hub and one is plugged into our network.  I think
this is a security risk and we should just allow internal users access
to the box via the firewall by opening the port instead of having dual
nics.  they do not see a security risk. maybe i am just too new at this
and need some education.  what is the "best" way to implement this
configuration?


Thank you
Jenn Fountain