DMZ design
in [Firewalls]
|
From: DigitalVinyl on 30 Nov 2005 22:46 "Frankster" <Frank(a)SPAM2TRASH.com> wrote: >> It does work in the real world, though many people >> seem to be reluctant to do it right, because the other >> way is so much easier. > >It's not about "easy", it's about money. A realistic risk analysis verses >costs. Some's worth it, some's not. > >-Frank Often, I find it isn't about money. It is about the politics. Most of us get to inherit stuff. As a consultant you inherit almost everything. If the existing system is foully organized and exposes the company to problems, capacity, security, performance, or capability problems, there is all too often a desire to ignore and hide the problem and pretend it isn't really there. This leads to a bastardization to work around things. Management doesn't want to admit they've fucked up in the past. This leads to that ever popular cycle of "we're the new managemnt-let's change everything". Oldmanagement would never admit to fuckups , new management wants to blame old management and pretend that they have some great plan to make things "better". Technical and real world requirements be damned.
From: Jeff B on 12 Dec 2005 02:57 >>You don't want *any* host in the DMZ to be able to establish >> connections >> into your private network, since that would break the DMZ. Put the >> backend servers into the DMZ (or a separate second DMZ). Replicate >> (push!) the relevant data from your backend servers to servers in the >> DMZ. But *never* *ever* allow connections from the DMZ to the >> internal network Back to some definitions and basics. A LAN can be many things, none of which are accessible by public IP address assignments. A DMZ is a set of components isolated from the Internet and the backend processors by firewalls on both sides Public -- FW(#1) --- DMZ systems -- FW(#2) --- backend processing(BEP) Best practices says the corporate LAN should not be accessible from the DMZ or the public Internet. The WWW.* systems have components in the DMZ which may be compromised from time to time (which is why we need backups, pagers and have jobs). By segmenting the networks and using non-default ports in the backend processing, access from the Public net to the BEP can only be achieved by software in the DMZ properly configured (ie no scripting kiddy is crossing two firewalls which have no natural routes into the BEP). Now you can run a DBMS in the BEP subnet and again, the kiddies can't run injections scripts and smash your data. Yea, there's much more to configure, and you need to bind the applications externally rather than default address and ports, but it's also safe, secure, and scalable when expansion is needed. -- --- Jeff B (remove the No-Spam to reply)
First
|
Prev
|
Pages: 1 2 3 Prev: REQ: Sonicwall SOHO3 Firmware Next: Firewall port 1105 (FTRANHC) & port 1239 (NMSD) ? |