Re: Front-End server question

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Al Mulnick (amulnick_No_SPAM_at_ncDOTrr.com)
Date: 03/04/05 

Date: Thu, 3 Mar 2005 19:28:07 -0500

That's just it, you wouldn't have the same ports and you'd be looking for
'intent' of the payload for any malicious-ness.

> Also, if the consensus is that the fe should go on the inside of the
> network, wouldn't that render the point of the fe (in my case at least
> with
> only one back end server) moot?

Yep, it would absolutely render the point moot [1]. Since your DMZ is no
longer acting like a DMZ a la Ed's description: traffic would originate from
the DMZ and have an expected path. You wouldn't know the good from the bad
in most cases.

Not sure why sales recommended that solution to you. Maybe some other
details pointed them in that direction? Maybe ISA wasn't an option?

Was it me, I'd trade the FE server for the ISA in a single Exchange server
environment. That's me though. I can't see a point in a FE server in that
environment.

[1] OK, so the user would have access to only your DC's, DNS, GC's, etc and
not other apps directly [2]
[2] They'd have to hack a DC or DNS or Exchange server to gain unrestricted
access in most environments if you left the FE server in the DMZ. Still not
usually trivial, but the stakes are much much higher for the work.

"Michael Mendoza" <MichaelMendoza@discussions.microsoft.com> wrote in
message news:E951556D-B732-4226-A1F1-420C5C69FADD@microsoft.com...
> So how is putting the FE inside the network any better than having it in
> the
> DMZ? Depending on your situation you'd still have the same ports (80, 25
> etc) open regardless of its location in the network.
>
> This thread is of particular interest to me as I'm about to deploy
> exchange
> and am struggling to come up with the 'best' way to set this up. MS sales
> recommended a single fe server to go along w/ our single backend server.
> I
> don't have an ISA server and am fairly sure I will not be able to get one.
> I
> have a PIX and had planned on putting the FE in the DMZ and was going to
> open
> up the necessary holes to allow this to work. So now I'm just trying to
> get
> a consensus on what would be the best way to set this up?
>
> Also, if the consensus is that the fe should go on the inside of the
> network, wouldn't that render the point of the fe (in my case at least
> with
> only one back end server) moot?
>
> Thanks for your help.
>
>
> Michael
>
> "Ed Woodrick" wrote:
>
>> DMZs were originally created as an area in which things could terminate,
>> but
>> not originate. FTP for example is a good example. You stick a FTP server
>> in
>> the DMZ, people can leave things on it, people could pick things up from
>> it.
>> But no matter what the situation, no connections can exit the DMZ, which
>> also means that nothing can transit the DMZ.
>>
>> So putting a member server in the DMZ pretty well blows any concept of
>> security that you might have. If the member server gets compromised, then
>> it
>> has free reign to the intranet, as if the firewall didn't exist at all.
>> IPSec doesn't do anything to help the situation, just makes people think
>> that something is secure.
>>
>>
>>
>> "Al Mulnick" <amulnick_No_SPAM@ncDOTrr.com> wrote in message
>> news:uJtP7gAIFHA.1528@TK2MSFTNGP09.phx.gbl...
>> >
>> > Note that *some* would argue that if you had an application layer
>> > firewall, you wouldn't really need a DMZ. A DMZ would be an archaic
>> > throwback since it's job is to allow you to cutoff conversation from
>> > the
>> > untrusted to the trusted (soft squishy core). I still see some value
>> > in a
>> > DMZ myself, but just throwing that out there.
>> >
>> > Al
>> >
>> >
>>
>>

Relevant Pages

  • RE: fedora-list Digest, Vol 6, Issue 266
    ... Re: OT: Setting up a forwarding mail domain in DMZ without ... Re: Sound Problem ... downloaded the yum.conf for fedora from Redhat's website. ... Server: Fedora.us Extras ...
    (Fedora)
  • Linux, New Corporate Network, Cisco Routers, T1 Ethernet Handoff, DMZ...
    ... I am setting up a network for a company that I am part owner of. ... internet go into my Cisco 2621 router that has 3 10/100Mbs FE interfaces. ... the same switch creating the "sandwich" DMZ setup with the public devices in ... PBX server that uses a straight VoIP connection all the way to our service ...
    (comp.os.linux.networking)
  • New Corporate Network, Cisco Routers, T1 Ethernet Handoff, DMZ...
    ... I am setting up a network for a company that I am part owner of. ... internet go into my Cisco 2621 router that has 3 10/100Mbs FE interfaces. ... the same switch creating the "sandwich" DMZ setup with the public devices in ... PBX server that uses a straight VoIP connection all the way to our service ...
    (comp.security.firewalls)
  • Re: SBS2000 and a DMZ
    ... This network is my HOME network that I use as a test bed to learn things ... the systems in the DMZ are my sons desk tops and laptops. ... but could not get CDDB(an internet service that is used to identify music ... The W2K3 server is a recent addition and wanted it for storage of the boys ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Is Remote Desktop Web Connection secure?
    ... 80 or 443 to an IIS Server. ... I'd opt for the SSL VPN in DMZ Option, i.e. using AEP Networks NSP or Citrix ... open up your internal network directly to the internet is just asking ...
    (microsoft.public.windows.terminal_services)