Yeah it depends on how you want to design your network and how security conscious paranoid you want to be.
DMZ can be inside, you are just separating areas of trust, or lack thereof in the below example. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: Webster [mailto:[email protected]] Sent: Friday, January 07, 2011 4:21 PM To: NT System Admin Issues Subject: RE: AD and firewall ports I did some work for a member of the Global Fortune 15 where there network was: Internet -> FW -> perimeter servers -> FW -> DCs -> FW -> member servers -> FW -> PCs I couldn't ping by NetBIOS name or FQDN DC1 sitting above DC2 in the same rack because DNS was in the perimeter network. And they wonder why they had name resolution issues! Webster From: Free, Bob [mailto:[email protected]] Subject: RE: AD and firewall ports Agreed, the old M&M paradigm is long gone. The other thing I find intriguing about this thread is that the proximity of the OP's DMZ to the internet is unknown, let alone its intended purpose. The classic definition of a DMZ only standing between an internal network and the internet is no longer valid. I have DCs in DMZs on the main network, heck I have one environment where all the DCs in the forest are in DMZs, there are firewalls all over the place and the internet isn't even part of the equation. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
