On Mon, 25 Feb 2002, Gegerfelt, Michael stated: > Hi all > > I have a question regarding topology in a DMZ zone. How does you guys put > up a network with the following design? > > (It is a customer to us and I want to implement the best solution) > > Today they have three domains (One for their internal site, one for their > "external site" - the DMZ and one for their sister company. > (Sorry for my limited vocabulary and my spelling) > > They have one NT domain for their internal (lets say that one is called > internal), they also have an NT4 domain called (lets say external, great > imagination huh.. ). Is it even recommended to have a separate domain for > the DMZ? I have heard from some guys that they prefer to put their NT > boxes as Stand Alone instead... > > Any pros and cons for different topologies? > > > Yours sincerely > > ------------------------------- > Michael Gegerfelt > >
Well, I suppose that you are only using the term "domain" as in WinNT domain and not Internet domain here.. The reason for using NT domains is to use the "single logon" feature, whcich means that you will only have to authenticate once to access resources in that domain (or trusted domains). I case of the DMZ... I suppose that this DMZ will _not_ have any servers posing as file, print or logon servers - right? In that case, I don't see any reason why those boxes should be in the same domain. If I remember correctly (was a while ago I poked around with NT), the NT domain authentication model relies upon NetBIOS, which there is not reason to have accessible (or even running) on an Internet connected (and reachable) machine. Disable NetBIOS over TCP/IP, Microsoft Share and Printing (or whatever it's called) and block ports 135-139 at your firewall (the firewall should not let anything throughh except for traffic bound to ports offering "public" services in your DMZ). Do as your NT friends told you... run those servers as stand alone machines (don't forget patching - if NT4 they'll certainly need it ;). Patrik Birgersson
