Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: safety of unidirectional NT trusts

From: "S. Jonah Pressman" <jpressman () sympatico ca>
Date: Wed, 16 Jan 2002 21:26:05 -0500
Phooey!  You're in a tough spot.  If you follow the wishes of the decision
makers, you'd might as well take the "D" out of "DMZ".

What about an alternative solution?  Will your sponsoring decision makers pay
for the hard and soft dollars for a good non-Microsoft VPN implementation (eg.
Shiva, Timestep, etc.)

SJP

hermit921 wrote:


I have been tasked with permitting M$ networking access between an NT
server on the DMZ an other Windows machines behind the firewall.  My plan
is to not let the DMZ machine initiate any connections to the internal
machines, but they can initiate connections to the DMZ machine.  The DMZ
machine should be set up to trust the internal machine, but the internal
machine should not trust the DMZ machine; I know I can't control this on
the firewall.  I don't know much about M$ networking, I don't get to make
decisions, I just implement firewall rules whether I like them or not.

My main question is:  is this unidirectional connection initiation and
trust help much more secure than bidirectional?  Given that I have to allow
this network traffic, can I do any better on the firewall rules?

hermit921

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: