|
I understand what you are saying, but there is a basic premise here:
A DMZ is like a no mans land, not to be trusted. Only have out there what is needed.
Think of it this way, where did the name come from, War. It is an untrusted zone, to be treated with questions and suspicions.
Yes, you may let only those things necessary into the DMZ from the Internet. But you would not let those into your network, correct?
The connection from the LAN to and from the DMZ is supposed to be hardened and more secure than that of the Internet to and from the DMZ. What you are purposing is the opposite, trusting that the security from the Internet into the DMZ is strong enough.
I am sorry, I do not buy that. I am going to allow a certain amount of traffic into the DMZ. I am going to further restrict and lessen that into the LAN.
Another analogy if I may:
The Internet is like a 50 lane supper highway with bikers, trucks, vans, busses, cars, fire, police etc. You do not want all that coming into your house, correct? Well, there are off ramps and streets. A DMZ is like your neighborhood. Quite, not a lot of traffic. (In theory anyways.) So, you have cut down on most of the traffic. But you still do not want all those people coming into your house. So you have a door with a lock. And you look to see who is there before opening the door.
Remember, security is not supposed to be convenient. The easier you make it to do something yourself, the easier it is for someone else.
John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA� 92835 www.reliancesoft.com
-----Original Message-----
Again, my point being, if the protocols required to be able to do any of that don't work from the LAN, what is the issue? That's the whole point of a firewall - to block things you want blocked. I can't sit outside of my network and do any of the things I can do from the LAN to the DMZ - it's all disabled that way... I know that shares are frequent targets - but if a firewall isn't capable of doing this, why do we even purchase them? Why wouldn't we just never have a public server?
Just because something works from the LAN to the DMZ doesn't equate to the fact that it works from the WAN to the DMZ - that's the whole point of setting up rules and securing the firewall, isn't it?
J
-----Original Message-----
http://www.blackhat.com/presentations/win-usa-01/Shultz-LeBlanc/w2k-01-shultz-leblanc-Foiling-JD.ppt http://searchwin2000.techtarget.com/searchWin2000/downloads/Implementing_a_Secure_ISA_Server.ppt http://www.xinetica.com/tech_explained/general/hacking_dmz/wp_hacking_dmz.htm http://www.lbl.gov/ICSD/Security/guidelines/iis-server.html
If was as easy and secure as mapping drives from internal to DMZ, don't you think everyone would be doing that?
Mapped drives require shares. Shares are easy and frequent targets. (I am sure you are not mapping to default $.) A mapped drive, if I am not mistaken, is an always available connection. That would seem to be inviting a hack.
If it so easy for you to set it up, that translates into easy for someone else to do the same, is it not?
Of course, I could be way off base, being that I am still green, having only been in Networking for about 1 � years now.
I am sure someone else can clear the air.
John Tolmachoff IT Manager, Network Engineer 211 E. Imperial Hwy., Suite 106 Fullerton, CA 92835 714-578-7999, ext. 104
-----Original Message-----
Maybe I'm missing something - not sure how it'd be "asking for trouble".
Netbios is enabled from LAN to DMZ. Disabled everywhere else. Default rules from WAN are disallow, only a few services opened up in rules.
Machines in DMZ can't map drives back out to LAN, only from LAN can map a drive. Machines in DMZ are standalone servers, not part of the domain, no accounts anywhere even close to any accounts on the domain in the LAN. Passwords are all 15 character randomly generated alpha numeric with other printable characters thrown in.
Don't need an LMHOSTS file because I've got static entries in my WINS servers for machine names / IP's in the DMZ that the LAN clients leverage for name lookups to the external addresses.
If I'm missing something obvious, please point out the trees for the forest to me. J
J
-----Original Message-----
NetBIOS enabled in the DMZ? Is that asking for trouble?
Why not use a LMHOSTS file instead?
John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com
-----Original Message-----
Just thought I'd update this - using Veritas Backup Exec 8.5, I am able to go from a machine internally on the LAN to a machine in the DMZ. I have static entries in my WINS database for my DMZ machines with their public IP's so the internal clients can get at them via name, and the netbios enabled from LAN to DMZ.
J
-----Original Message-----
Is anyone backing up a server on the DMZ through the firewall on the LAN? How?
Jason Alba IT Manager tel: 208.232.8599 x323 fax: 208.232.6068 http://www.varsitycontractors.com
|
Title: Message
- [SonicWALL]- [SonicWall] backup the DMZ Jason Alba
- Re: [SonicWALL]- [SonicWall] backup the DMZ Cavell . McDermott
- RE: [SonicWALL]- [SonicWall] backup the DMZ johndean
- RE: [SonicWALL]- [SonicWall] backup the DMZ John Tolmachoff
- RE: [SonicWALL]- [SonicWall] backup the DMZ Jason Alba
- RE: [SonicWALL]- [SonicWall] backup the DMZ johndean
- RE: [SonicWALL]- [SonicWall] backup the DMZ John Tolmachoff
- RE: [SonicWALL]- [SonicWall] backup the DMZ johndean
- RE: [SonicWALL]- [SonicWall] backup the DMZ John Tolmachoff
- RE: [SonicWALL]- [SonicWall] backup the DMZ johndean
- RE: [SonicWALL]- [SonicWall] backup the DMZ Todd Holt
- RE: [SonicWALL]- [SonicWall] backup the DM... John Tolmachoff
- RE: [SonicWALL]- [SonicWall] backup th... Todd Holt
- RE: [SonicWALL]- [SonicWall] back... John Tolmachoff
