RE: Extending the DMZ

["David Gillett" <gillettdavid () fhda edu>]

  Instead of putting the server itself on the DMZ, put a proxy 
on the DMZ that relays (only) the needed services to the internal 
blade server.

David Gillett


> -----Original Message-----
> From: CORP John Porter [mailto:jporter () rsac com] 
> Sent: Wednesday, October 15, 2008 7:58 AM
> To: security-basics () securityfocus com
> Subject: Extending the DMZ
>
> We have an ASA with a separate interface for the DMZ. 
> Connected to that interface is a layer 2 switch, and then the 
> DMZ servers. The Windows guys, working with Application 
> development, have created a new server, in a blade center. 
> The blade center has a layer 3 switch built in, which is 
> connected to our core switch with a 4 port Etherchannel. Now 
> they want the server they built made available on the 
> internet. I have told them that the server must be moved to 
> the DMZ, but they are reluctant to do that because they 
> already built it on an internal Blade Server. They want me to 
> create a VLAN on the layer 3 switch and connect 1 port from 
> the layer 3 switch to the layer 2 DMZ switch, so the server 
> will be available on the DMZ. 
>
> This seems like a very bad idea to me:
> - Someone can mis-configure the server and end up with it 
> acting as a router to pass traffic between the DMZ and inside network
> - The layer 3 switch is going to route traffic between the 
> new VLAN and the inside network
> - Even if I manage to lock things down so that it works, 
> there may be other problems/exploits that make this a bad idea.
>
> Am I just being paranoid, or is this definitely a bad idea?