Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Extending the DMZ

From: "Gleb Paharenko" <gpaharenko () gmail com>
Date: Fri, 17 Oct 2008 22:56:35 +0400
Hi.

This is actually a bad idea. Though a lot of companies do so You
should perform at least brief risk assessment. Find out how much does
it cost to make it in a right way (say by buying yet another server).
Analyse how server is secure. Compare potential risk with price of the
"right way". If you're still going to publish it in the internet.
Harden it enough, perform a good vulnerability assessment, develop
updating and patching policy, so it is always up2date. Install in
front of IPS and application firewall. Add more monitoring on events
of this server. When you can not bypass risk, it is always possible
add controls to reduce probability and impact.

2008/10/15 CORP John Porter <jporter () rsac com>:

We have an ASA with a separate interface for the DMZ. Connected to that
interface is a layer 2 switch, and then the DMZ servers. The Windows
guys, working with Application development, have created a new server,
in a blade center. The blade center has a layer 3 switch built in, which
is connected to our core switch with a 4 port Etherchannel. Now they
want the server they built made available on the internet. I have told
them that the server must be moved to the DMZ, but they are reluctant to
do that because they already built it on an internal Blade Server. They
want me to create a VLAN on the layer 3 switch and connect 1 port from
the layer 3 switch to the layer 2 DMZ switch, so the server will be
available on the DMZ.

This seems like a very bad idea to me:
- Someone can mis-configure the server and end up with it acting as a
router to pass traffic between the DMZ and inside network
- The layer 3 switch is going to route traffic between the new VLAN and
the inside network
- Even if I manage to lock things down so that it works, there may be
other problems/exploits that make this a bad idea.

Am I just being paranoid, or is this definitely a bad idea?






-- 
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
http://www.linkedin.com/in/gpaharenko
Previous By Date Next
Previous By Thread Next

Current thread: