Home page logo

basics logo Security Basics mailing list archives

RE: Question about dmz security
From: "Garbrecht, Frederick" <FGarbrecht () ecogchair org>
Date: Sat, 15 Feb 2003 15:50:10 -0500

I went through this problem with our network as well.  You are correct that
this arrangement represents a security risk.  Since you are dual homed into
both your dmz and internal network, you have effectively negated the value
of having segregated vlans.  If your dmz server is compromised with an ftp
exploit, then the attacker has a clear shot into your protected network over
the other nic.  The true degree of risk depends on your exact architecture
and the rules you have implemented on your firewall.  If you have only one
way into the dmz from your internal network (that being through the
firewall), you have a much less complex task of making sure that a
compromise of your dmz server does not lead to compromise of your entire
network.  The type of architecture you describe is sometimes set up and
justified in Windows networks to simplify Windows networking; when you
segregate your vlans appropriately to ensure security, you start to run into
problems with Windows name resolution and any rpc dependent applications you
may be running.  What is often overlooked however, is that a secure
installation requires that these services be severely restricted anyway or
turned off altogether in a bastion host residing on a dmz.  So, you ARE
corrcct; you'll likely need to do a careful analysis of the services running
and any cross-vlan interdependencies, and then you can rationally plan to
get rid of the unneccessary nic.  Good luck.


-----Original Message-----
From: Jennifer Fountain
To: security-basics () securityfocus com
Sent: 2/14/03 2:42 PM
Subject: Question about dmz security

I need an opinion on a current design implementation in place.  We have
an ftp server sitting in our dmz.  This box has two nics - one is
plugged into the dmz hub and one is plugged into our network.  I think
this is a security risk and we should just allow internal users access
to the box via the firewall by opening the port instead of having dual
nics.  they do not see a security risk. maybe i am just too new at this
and need some education.  what is the "best" way to implement this

Thank you
Jenn Fountain

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]