Re: Is it possible at all ...?

[Ryan Russell <ryan () securityfocus com>]

On Fri, 25 Aug 2000, Chris wrote:

> different IP networks. I'd like setup the DMZ and the
> Inside as follows, so that the domain controllers can
> exchange information, browsing works, NT user
> authentication and all the typical NT Domain stuff
> work. 
>
> Is that possible at all? I opened ports
> 135,137,138,139 between the DMZ and the Inside but I
> do not get it to work?

Perhaps you don't have a WINS server set up, or the DMZ machines can't
reach it, or don't have it programmed properly?  As soon as you go to more
than one IP subnet (which you almost always have to do with a DMZ) you
will have to use WINS to make things work right.

Of course, and I'm sure I won't be the only one to point this out, with
the setup you've described, you might as well not have a DMZ.  The moment
one of your DMZ machines gets nailed (and you have to assume it
will... that's why DMZs exist) then the attacker has everything they need
to 0wn any inside machine they want.  

Why do you want NetBIOS running between the inside and DMZ?

                                        Ryan


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards