> Can you speak to the possible vulnerabilities involved with > setting up a separate "web resource" domain for the hosts > in the DMZ and using trust relationships to specify access > to internal resources? I have a client set up this way. I > thought the arrangement was fairly elegant with good ease > of management and an appropriate level of security (for what > they were doing). What do you think?
Well, to do this, you still have to allow Microsoft Networking traffic, typically NetBIOS over TCP/IP, to your internal resources. While I think this configuration is better than having them all within the same domain, if one of the DMZ machines is compromised, it could then be used to attack internal machines via Microsoft Networking, and the attacker could try usernames and passwords on any of those internal machines. But that doesn't mean that your client hasn't chosen an appropriate level of security in this instance, though. Security choices are typically tradeoffs between security and convenience; the amount of convenience in this setup may outweigh the fact that it's less secure. We all make tradeoffs like this all the time. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
