Security Basics mailing list archives
RE: How to design and build your DMZ!
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Thu, 26 Feb 2004 15:04:28 -0800
From: "Héroux, Christian" [mailto:Christian.Heroux () etsmtl ca] I am looking for documents that could help identifying the different solution when moving application/server in a DMZ. I am looking for ideas, critics at different solution or architectures..
Depends on how secure you want it. Using multiple firewalls, routers, dead zones and proxies you can make you solution very secure, and complex. Personally I put my forward seeing systems in the DMZ then use pinholes to control the traffic from the DMZ system to the LAN or Internet. That goes the same for LAN systems, they have restricted access to the DMZ, so the DMZ can't be compromised and used to compromise the LAN, it's just not a good launching pad, though I tightly restrict the services on my DMZ. What I've wanted to experiment with is using SSL VPN's as a DMZ access device. Using the technology you can allow access from only specific applications within a host system and can verify the CRC of those applications, which could be used to make a rock hard DMZ, though I've never done it. My rule is, never assume traffic from your LAN is safe, block in and out of your LAN, that includes to your DMZ.
-Website in the DMZ that want to talk to an Active Directory for authentication.
Depends on the application, you could get away with just LDAP access, but if it's Windows integrated, anything that uses SAM, you will need to open up more ports. Why people use AD is a Internet based auth system is past me, it's never been secure and even if you lock down your DMZ->LAN you can still get a WHOLE bunch of data from LDAP. Personally, if you have to do that, use local accounts on the system is question, at least they don't have access to your entire network.
-Website that need to talk to a database. Database are not in the DMZ
Allow only access from the web server to the required database port. Then make sure the database can only talk to the web server on that allowed port, block everything else. Also DON'T use a trusted account or connection. Use a limited account in the database itself and give it only the access it needs. If you can get away with it only have access to SP's that's your best bet.
-Website that need have windows share folder ( I know !!!)
No Comment!
-How to backup DMZ server
Use the local windows backup software and backup the system. Then use FTP to pull that file and delete it.
-How a proxie can be integrated in the solution
Use a forwarding proxy between the I-Net and your web server (that uses the LAN side DB) to protect the web server. Use Linux as the proxy, because it's MUCH better at that then ISA or any windows solution out there. You could use proxies between your DMZ servers and the LAN side resources, but I wouldn't. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- How to design and build your DMZ! Héroux, Christian (Feb 25)
- <Possible follow-ups>
- RE: How to design and build your DMZ! Shawn Jackson (Feb 26)