Greetings all,
I wanted to ask for some advice from the group. My network will be growing
in approximately 3 months to the point where I will begin having clients ftp
to machines in the DMZ (NAT 10.x.x.x) network from the internet. I will
also have internal employees who wish to access the same information from
inside the firewall in as transparent a fashion as possible. My intention
was to, at least initially, place an FTP server in the DMZ which is also a
Win2K native mode PDC and create a one way trust such that it trusts my
internal domain. Testing indicates this meets the above goals, but I want
to see if there are any further ways to tighten this configuration.
I have a rule which drops all traffic initiated from the DMZ to my internal
network. Now, prior to this rule, I've had to add two (at least in
testing), one of which allows NBT from the FTP server to my Enterprise
object (all internal network groups), and one which allows NBT from the
Enterprise object to the FTP server.
I would expect someone to try to compromise the FTP server via FTP or HTTP
if that is ever enabled, and then create an NBT session to enter my system.
Is this likely, and what is the best way to prevent this? I wanted to seek
opinions before I placed this into production. Thanks for all of your help.
Mark
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
