On Thu, Mar 14, 2013 at 8:22 AM, David Lum <[email protected]> wrote: > What’s the risk difference between a server in a DMZ (firewalls on each end) > and port forwarding from the Internet to a machine inside a network > perimeter? Scenario : I have PC’s that use port xxxx to talk to a management > server, I’m wondering of that server needs to be in the DMZ (with that port > opened), or if forwarding that port through is functionally the same thing? > > David Lum > Sr. Systems Engineer // NWEATM > Office 503.548.5229 // Cell (voice/text) 503.267.9764
Go back to the fundamentals. Why do you have a DMZ - that is, what is the fundamental reason that you have a DMZ? It is to have a place where you can put machines that are untrusted, but to which your production network (and perhaps other untrusted networks) need access. So, if it's untrusted, and you need access, what is the fundamental thing you *DON'T* do? You don't allow untrusted machines unrestricted access to your production network. In particular, you don't allow machines in the DMZ to initiate traffic to the production network. Machines in a DMZ should only respond to requests for traffic from the production network, or if they need to initiate traffic to the production network, that traffic should be strictly limited and throughly examined by a proxy that understands the traffic in question. So: o- Where are the machines located that need access to your management server? o- Does the server initiate any traffic, or is it just the clients? If all of the clients are in the production network, and you have all of them under your control, then putting the management server in the DMZ is not required. If the clients are both in and out of the production network, put the management server in a DMZ and make sure you have a firewall that understands the traffic (an application layer gateway, or proxy). Simple port forwarding doesn't examine the traffic. I'll make another sweeping statement here: Don't put any machine in the DMZ that requires membership in your production domain. At that point you don't have a DMZ, you merely have another subnet of your production network, and basically no protection. It's possible that TMG could act as a proxy for something like this, but I'd be very nervous about it. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
