DMZ and Internal Network Access

Toggle sidebar Toggle sidebar
N

neopipil

Member
Feb 15, 2002
29
0
0
I was hoping to get some input on the following situation. I want to be informed so I can counter with a thoughtful and realistic answer.

Here at work we want to make the intranet site available over the Internet. We consulted with the security people and they are telling us that in order for the intranet site to be available both via the internet and via the internal network they need to move the web server onto the DMZ. Is this the way things are normally done? I ask because from my understanding, the DMZ is not supposed to talk to the internal network, but we need to access a databse server and a forums server. I don't think moving the databse and forums server to the DMZ is a good idea. What do you guys think?

neopipil
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
ANY publicly accessible server (that is a server with a public IP and open application ports) should absolutely be placed in a DMZ. There are many different definitions of DMZ, but the jist is a network protected by a firewall that has limited access - both from external and internal sources.

here are a few ways to do it. If your company actually has network security folks, listen to them.

I
|
FW--DMZ
|
Internal net

OR this -

I
|
FW
|
DMZ
|
FW
|
Internal net

hope this helps.
 
N

neopipil

Member
Feb 15, 2002
29
0
0
Thanks for your help spidey07. Your explanation made it clear as to why the security folks here want to move the servers onto the DMZ if we are to allow the intranet site to be accessed from the Internet. And yes, I work for a fairly large company so we do have a team solely dedicated to data and network security.

Thanks,

neopipil

 
Q

q2261

Senior member
May 20, 2001
304
0
0
I donno what kind of setup you guys have
but if youve got any sort of modern cisco router or any of the consumer dlink, linksys, smc etc. routers, they have virtual server capabilities where you can forward port 80 to any machine on the network...

this is the simplest solution.
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Allowing port 80 between the DMZ and the internal network should not be a big problem. I would keep the database server off the net if you can help it though.
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
The problem with forwarding port 80 or another port in an INTERNAL machine is if that machine were some how compromised an intruder now has free run of the internal network.

complete, total, free run. Scanning, sniffing, trojan planting.

Hence a DMZ network. If a DMZ net host were to get compromised then at least there are restrictions in place to allow that host to only talk to a few other boxes on a few ports.

For SOHO world this really isn't a big deal. For people with information to protect - it is a very big deal. :)
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0


<< The problem with forwarding port 80 or another port in an INTERNAL machine is if that machine were some how compromised an intruder now has free run of the internal network. >>



No need to forward blindly. A nice firewall rule between the DMZ and the internal network only allowing port 80 traffic into the DMZ (keeping state wit stateful packet inspection) will keep port 80 from being totally open. Opening 1 port in 1 direction (kind of) would help minimize the problems you are mentioning.



<< complete, total, free run. Scanning, sniffing, trojan planting. >>



Only of the data that goes between the internal network and the DMZ. If setup the way I am thinking this would be very little. With this compromized DMZ host you put your customers at the same risk your put yourself.



<< Hence a DMZ network. If a DMZ net host were to get compromised then at least there are restrictions in place to allow that host to only talk to a few other boxes on a few ports. >>



Exactly. There would definitely need to be rules for connections between the internal network and the DMZ to limit what traffice can go where. I can only think of two services in a DMZ that would need to have ports open. Those would be email and dns. dns needs udp 53 open, and in some cases (offsite primary/secondary dns) tcp 53 (but this should be heavily restricted. email would need port 25 open, but thats it. For http/https traffic a keep state rule for port 80 coming in will be fine. The webserver should not need to start a connection to anywhere.



<< For SOHO world this really isn't a big deal. For people with information to protect - it is a very big deal. :) >>



:)
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom