RE: How to design and build your DMZ!

["Shawn Jackson" <sjackson () horizonusa com>]

> From: "Héroux, Christian" [mailto:Christian.Heroux () etsmtl ca]
> I am looking for documents that could help identifying the different 
> solution when moving application/server in a DMZ. I am looking for 
> ideas, critics at different solution or architectures..

  Depends on how secure you want it. Using multiple firewalls, routers, dead zones and proxies you can make you 
solution very secure, and complex. Personally I put my forward seeing systems in the DMZ then use pinholes to control 
the traffic from the DMZ system to the LAN or Internet. That goes the same for LAN systems, they have restricted access 
to the DMZ, so the DMZ can't be compromised and used to compromise the LAN, it's just not a good launching pad, though 
I tightly restrict the services on my DMZ.

What I've wanted to experiment with is using SSL VPN's as a DMZ access device. Using the technology you can allow 
access from only specific applications within a host system and can verify the CRC of those applications, which could 
be used to make a rock hard DMZ, though I've never done it.

My rule is, never assume traffic from your LAN is safe, block in and out of your LAN, that includes to your DMZ.

> -Website in the DMZ that want to talk to an Active Directory for authentication.

Depends on the application, you could get away with just LDAP access, but if it's 
Windows integrated, anything that uses SAM, you will need to open up more ports. Why people use AD is a Internet based 
auth system is past me, it's never been secure and even if you lock down your DMZ->LAN you can still get a WHOLE bunch 
of data from LDAP.

Personally, if you have to do that, use local accounts on the system is question, at least they don't have access to 
your entire network.

> -Website that need to talk to a database. Database are not in the DMZ

Allow only access from the web server to the required database port. Then make sure the database can only talk to the 
web server on that allowed port, block everything else. Also DON'T use a trusted account or connection. Use a limited 
account in the database itself and give it only the access it needs. If you can get away with it only have access to 
SP's that's your best bet.

> -Website that need have windows share folder ( I know !!!)

No Comment!

> -How to backup DMZ server

Use the local windows backup software and backup the system. Then use FTP to pull that file and delete it.

> -How a proxie can be integrated in the solution 

Use a forwarding proxy between the I-Net and your web server (that uses the LAN side DB) to protect the web server. Use 
Linux as the proxy, because it's MUCH better at that then ISA or any windows solution out there. You could use proxies 
between your DMZ servers and the LAN side resources, but I wouldn't. 

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521

www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338


---------------------------------------------------------------------------
----------------------------------------------------------------------------