Any system that is going to have "public" access should be placed in the DMZ but Terminal Server/Citrix servers present some special challenges because they are usually designed to permit outside access to internal systems. I can't speak to NT Terminal Server but the Citrix box I used did have an encrypted login procedure. This may make it possible to use domain authentication to login external users. Unfortunately it will be necessary to open some ports to get the server into the domain. My preferrence would be to establish local accounts on the server, run the application local and only grant access to the internal resources required by the application.
This increases the admin factor slightly but provides better security. You might also consider establishing a separate domain for external users with associated "trust relationships" to the internal network. This is the appoach that Microsoft uses.
-- Bill Stackpole, CISSP
| "Bill Stewart" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 07/05/00 05:49 AM
|
To: <[EMAIL PROTECTED]> cc: Subject: Server placement |
Hi all,
I am a new Network Admin and have a question about server placement behind a
firewall. Is it better to place a publicly accessible server on the DMZ
with a hardened OS or to place it behind the firewall with the appropriate
ports open? I am using NAT so does this really add another level of
security? More info: I'm getting a lot of pressure to have this box a
member of our domain (rather than stand-alone, which I normally do). This
is going to be a Win2K server running Terminal Services with the firewall
opened up for RDP (TCP 3389) to the one machine (which is using one to one
NAT). If the machine is only on the LAN and behind the firewall does the OS
need to be hardened?
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
