On Wed, 5 Jul 2000, Bill Stewart wrote:
> Hi all,
>
> I am a new Network Admin and have a question about server placement behind a
> firewall. Is it better to place a publicly accessible server on the DMZ
> with a hardened OS or to place it behind the firewall with the appropriate
> ports open? I am using NAT so does this really add another level of
If it's on the DMZ and it gets compromised, your DMZ is owned. If it's on
the internal network and it gets compromised, your internal network is
owned. Which is worse depends on what your business, but most people
find DMZ compromise more palatable.
> security? More info: I'm getting a lot of pressure to have this box a
> member of our domain (rather than stand-alone, which I normally do). This
Never bow to pressure without a compelling business case and a full risk
analysis. The greater the risk, the more documentation and
recommendations for protection you should have.
Since you're new at this, think about this:
The more times you cave to pressure, the more pressure will be
put on you to cave, plant your flag early if you intend to be doing the
same job for a while, most especially if you're the person to be held
responsible.
> is going to be a Win2K server running Terminal Services with the firewall
> opened up for RDP (TCP 3389) to the one machine (which is using one to one
> NAT). If the machine is only on the LAN and behind the firewall does the OS
> need to be hardened?
If it's publicly accessible it needs to be hardened. If it has users, it
needs to be hardened. If it's on a network it needs to be hardened. The
more of those that apply the harder it needs to be.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
