Best Practices - DMZ Security.

["tony toni" <tony572001 () hotmail com>]

Hi,

What are the best security practices for a DMZ?   Or put a different 
way...what are things you should never allow to be done on a DMZ?  To give 
you an example of what I am talking about we have had our DMZ set up for 
about 5 years.  However we keep getting stranger requests for activities 
that want to be done on the DMZ.  Examples include: setting up a chat server 
on the DMZ, opening up our firewall so various groups can use "Polycom web 
cams" for video conferencing, vendors that want to ssh directly into are 
internal servers, backing up DMZ servers to internal servers, etc.

I am working with our firewall administrators and trying to establish 
guideline/standards.  What would you recommend in the areas of:
 .general DMZ security design considerations?
 .services to allow?
 .ports that should be open/closed?
 .vendor/employee use of DMZ?

Is there a white paper somewhere that addresses these and other DMZ security 
issues?  I feel like our DMZ is designed appropriately...however it's 
security is being eroded with all of the changes people want done to the DMZ 
firewalls (use 4 of them...2 face internet and 2 face internal network)

Tony
IT Security Task Force Manager







_________________________________________________________________
Choose an Internet access plan right for you -- try MSN! 
http://resourcecenter.msn.com/access/plans/default.asp