No, you make your internal network hard and crunchy on the inside as welll. This is a comoon problem I've seen in MANY places. 'Oh, we have firewall, we're fine!". No. If you don't go to the trouble of securing your internal network and hosts, what good is the security you've done on the outside? All it takes is one bad CGI for your pants to be at your ankles.
You have several good options for adding additional layers of security, on top of just a firewall. Harden the host(patches, removal of services,etc), ACLs on your switchen to allow and disallow certain types of traffic, run an IDS or 2, run some form of HIDS, LOOK at your machines on a regular basis(this one gets missed a lot). And many more. Most of which fall into the 'best practices' that so few actually seem to follow. Things like peer code review for new cgi apps, research on patches that you are applying, staging your work with a prod/stage/dev network, etc. t On Thu, 14 Feb 2002, Dennis Depp wrote: > But if the box is compromised, so is your internal network! ;( > > Denny > > At 06:30 PM 2/12/2002 +0000, James McGee wrote: > >The last place I worked at had a great method... > > > >Put an addition NIC in them, that way you can keep it separate you can also > >use this for the admin of the site. In addition, this ensure that backups > >do not interfere with network to utilisation to and from the servers! > > > >Ensure that the servers will not forward packets. > > > > > >----- Original Message ----- > >From: "Sean Richardson" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Sent: Monday, February 11, 2002 6:43 PM > >Subject: Backup for win2k boxes in the DMZ > > > > > >Looking for opinions on the best method to back up Win2K web servers in a > >DMZ from a single server with a DLT drive. It seams that most backup > >programs need netbios enabled in order to backup remote machines and would > >much rather not have this enabled even though it would be blocked at the > >firewall. Thanks! > > > > > > > > > > > > > >--- > >Outgoing mail is certified Virus Free. > >Checked by AVG anti-virus system (http://www.grisoft.com). > >Version: 6.0.323 / Virus Database: 180 - Release Date: 08/02/2002 > >
