RE: Q: Properly separating trust domains

["Linder, Daniel G." <Daniel.Linder () NorstanConsulting com>]

Bill Stout wrote:
> What is the best practice to separate networks based on trust level?
>
> Say for example you have a large pool of webservers on the DMZ. 
> You then want to connect those to a pool of application servers
> on a back-end network.  Can you then: I'net---FW---www----apps,
> or do you have to I'net----FW---www---FW---apps?

If you have a true DMZ setup, the packets will have to go back through the
firewall to get onto the internal network.  I guess it might be possible to
setup some sort of short-circuit routing so that traffic between specific
"www" servers go through a separate (non-firewall) route to the "apps"
servers.

> O.K., question set differently.  Say for example you have W2000
> serving out subscribed (captive) applications, and you use the
> W2000 system as a proxy between a green and an isolated blue
> network (dual-homed).  Can you then: I'net---FW---WTS----apps,
> or do you have to I'net----FW---WTS---FW---apps?

  Again, the packets from the Internet will flow through the firewall to the
WTS.  The WTS will have to communicate with the "apps" server through the
firewall itself.
 
> Does the separation between trust domains have to be a traditional
> security device, or can a computer running an application itself
> be a proxy?  Does the blue net technically turn green?  

If "trust domains" refers to Windows "domains" (Active Directory or
traditional), then there is not much security from a hacker once they are
into one of your internal domains.  Microsoft's domains don't do much above
making life easier for the end user.  Once someone has IP access inside,
they can do nearly anything...

Dan