On 5 Mar 2002 at 8:04, Nick Holland wrote: > Bart Nikota wrote: > > > > Hi all! > > > > Sorry for the off topic, but I'm brain dead right now. ;-) > > > > I want to know if there would be any security risks in having two NICs in a > > web server on the DMZ with different classes of IP address. > > > > ie. Web services on 10.x.x.x and local net work traffic on a 192.168.x.x. > > > > I want to be able to back up stuff on the web server from the PROtected side > > without using Tunnels or PassThrough. Using GBPro3.1.3s and WinNT4 for > > Webserving. > > > > Your thoughts appreciated, > > > > Bart > > If I understand what you are wanting to do, you want your web server > in the DMZ AND on the local network. > That _was_ my thought....
> That defeats the purpose of the DMZ. Your web server isn't isolated, > you have nothing controlling traffic between the web server and your > network. If your web server is breached, your internal network is > available to all. > Kind of what I thought too... > Not a theoretical risk, either: Look at CodeRed II or Nimda: If your > server was vulnerable, you would be attacked through port 80 (passed > by the firewall, and probably within 30 minutes of setting up the > box!), it was taken over via port 80, it would then broadcast its > vulnerability to the world. Now, anyone who was probed by your > machine could look back at your system, and do virtually anything with > it, including exploring your now unprotected network, all through port > 80... > > Not a good plan. NT and IIS has proven broken in the past, I wouldn't > bet your data you have seen the last patch kits for them. > > Nick. > -- > http://www.holland-consulting.net > > --------------------------------------------------------------------- <snip footer> > Thanks for the reply Nick, What you have said is really the dangers that I've been worried about, and thought it unwise to expose my network that way. So for another dumb question --- How does one back-up a web server on the DMZ to a Tape library on the PRO side? Or is it just best to take the WebServer down at a low usage time (1:00am -- ouch!) and plug it in to the local net? Any other thoughts out there? Thanks, Bart --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
