mailing list archives
RE: Patching/ AV on the DMZ
From: "TVB NOC" <tvbnoc () temeculavalleybank com>
Date: Tue, 9 Oct 2007 12:36:29 -0700
One remedy is placing a VM with WUS on the DMZ and restricting access,
thus only allowing access from the Windows Update Servers to that DMZ VM
Host. In addition, you can then have the internal WUS pull updates
directly from the DMZ host machine isolating ports and Ip addresses to
only allow the internal WUS server communication to the DMZ Host.
One reason for doing this is that if the DMZ server is compromised it
still adds a layer of security to your internal network. In addition, if
the internal WUS is compromised it's pretty evident where you got
Hope this helps... Sorry for the grammatical mistakes too.. :)
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of fac51 () yahoo com
Sent: Monday, October 08, 2007 3:59 AM
To: security-basics () securityfocus com
Subject: Patching/ AV on the DMZ
I would like to know what the risks are of retriving patches over the
internet rather that sneakernet. Currently all patch and AV updates are
completed by us in the old fashioned way. I would like to open those DMZ
hosts to our internal WSUS.
Am I asking for a world of hurt?
Thanks in advance.