Home page logo

basics logo Security Basics mailing list archives

Re: Network redesign
From: krymson () gmail com
Date: 17 Aug 2007 18:19:54 -0000

I think you'll get a few different answers about what people put in their DMZ or how they use it, and they're really 
all valid for the most part.

When in doubt, remember that you also want some of your servers isolated from your internal population. Do people 
really need to be able to talk directly to your SQL server, or does all non-admin work take place through the web 
servers? If so, just put it all in the DMZ. This isolates it from your internal users and the outside. Better yet, give 
it its own private segment! I've seen justification and companies do this all three ways, including putting the SQL 
server internal and the web servers talk to it from the DMZ. 

It is ok to allow connections in and out of your DMZ; that's really going to be a given even with your domain 
controllers most likely. It's ok, just make sure the firewall rules are documented, make sense, and are justified.

Your IDS/IPS should be at your chokepoints, basically the same place as your firewalls: In between your internal 
network and DMZ, and between your DMZ and the Internet.

Try not to change things, and lay down rules that internal web servers are absolutely not to be accessible from the 
Internet unless they are in the DMZ. If there is a question, put them in the DMZ and allow your internal users to only 
connect via 80/443. I really hate that request, when a development server is built with the spoken assumption that it 
is not a public box, but then 6 months later as the projects start progressing, requests come in to make it 

My last bit of advice is to not take too much time on planning this. It is a huge endeavor and needs will change. If 
you get it wrong, that's ok. It is better to plan, and do things, than to plan for 5 years and do nothing or not plan 
and just guess. Plan for a while, but be aware that eventually ya just gotta do it and fix things later as requested.

<- snip ->
* There is the rule of thumb saying "Don't let connections go out of the
DMZ", but what about the SQL server that needs to be accessed from a web
server in a DMZ? Do we put it the same DMZ, in another one or maybe in a
vlan in the main network. 
* What happens when the boss comes in and says "We need this private web
or terminal server in this vlan to be accessed from the outside"
* Where is the best place to put our internal network and/or host IDS,
security scanner and the likes (nothing like that exists right now :/ )

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]