mailing list archives
Re: Network redesign
From: krymson () gmail com
Date: 17 Aug 2007 18:19:54 -0000
I think you'll get a few different answers about what people put in their DMZ or how they use it, and they're really
all valid for the most part.
When in doubt, remember that you also want some of your servers isolated from your internal population. Do people
really need to be able to talk directly to your SQL server, or does all non-admin work take place through the web
servers? If so, just put it all in the DMZ. This isolates it from your internal users and the outside. Better yet, give
it its own private segment! I've seen justification and companies do this all three ways, including putting the SQL
server internal and the web servers talk to it from the DMZ.
It is ok to allow connections in and out of your DMZ; that's really going to be a given even with your domain
controllers most likely. It's ok, just make sure the firewall rules are documented, make sense, and are justified.
Your IDS/IPS should be at your chokepoints, basically the same place as your firewalls: In between your internal
network and DMZ, and between your DMZ and the Internet.
Try not to change things, and lay down rules that internal web servers are absolutely not to be accessible from the
Internet unless they are in the DMZ. If there is a question, put them in the DMZ and allow your internal users to only
connect via 80/443. I really hate that request, when a development server is built with the spoken assumption that it
is not a public box, but then 6 months later as the projects start progressing, requests come in to make it
My last bit of advice is to not take too much time on planning this. It is a huge endeavor and needs will change. If
you get it wrong, that's ok. It is better to plan, and do things, than to plan for 5 years and do nothing or not plan
and just guess. Plan for a while, but be aware that eventually ya just gotta do it and fix things later as requested.
<- snip ->
* There is the rule of thumb saying "Don't let connections go out of the
DMZ", but what about the SQL server that needs to be accessed from a web
server in a DMZ? Do we put it the same DMZ, in another one or maybe in a
vlan in the main network.
* What happens when the boss comes in and says "We need this private web
or terminal server in this vlan to be accessed from the outside"
* Where is the best place to put our internal network and/or host IDS,
security scanner and the likes (nothing like that exists right now :/ )
- Network redesign Alex (Aug 17)
- <Possible follow-ups>
- Re: Network redesign krymson (Aug 17)