Re: Critical services to unblock?


"Wilhil" <Wilhil@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D9274DE0-55B9-4EBE-B59E-640BFAC287B9@xxxxxxxxxxxxxxxx
Thanks Phillip and Asher (and for the quick response)

I have always just thought that a DMZ was safer,

Everybody does,...it has become a "superstition".
There are two of these common superstitions:

1. "I am secure because I have a Firewall"
2. "I am secure because I use a DMZ"

I thought it was at least a little more secure :S

I feel the need to "babble" for a bit...:-)

Being secure is defined by what you are try to deny access to,...and whether
or not you are successful. So what is the DMZ going to "stop" that putting
it behind an ISA in an "Edge Firewall" design won't do?

Probably the best answer to that would be that if the Server is compromised
then the server could become the "tool" that the hacker uses to access the
LAN that the Server is physically sitting in,...True. But if the DMZ is
allowing the Server to access the LAN,..then a compromised server could
access the LAN as well, and what good did the DMZ do?...nothing. The DMZ
would have made things more complex for you,...but made no difference to the
hacker,...so who did the DMZ hinder most effectively?...you,...or the
hacker?

So the real security relies on the published server being properly patched,
configured, secured, and hardened,...not the firewall making it available.
This also means the Applications running on the Server need to be of high
professional quality that is securely and solidly written,...after all
hackers don't break into just OS,...they very often break into the
Applications running over the OSs. By the way, Websites are
Applications,... and are the favorite target.

It sounds like it is an SQL Server in your case,...therefore with the server
on the LAN behind ISA, publish only the SQL service to the outside and
maybe even restrict inbound access to specifically to the exact IP# of the
server running the Application that is acting as the "front end" to the
database. Most of your security is going to rest with the quality of the
"front end" Application. Most any attack will have to come through that
Application since the IP# of that machine is the only one allowed to contact
the SQL server.

If it is of any comfort, the only live demonstration I seen of a successful
beak-in to a system was done by attacking an SQL Server that used a web
based front end (a Website). SQL injection was used because the Website
(front-end App) did not properly handle the submitted data,..it was not
actually the SQL Server's fault.

I'm not saying you shouldn't have a DMZ,...I'm just trying to look at it
realistically. I think the design of a particular deployment and the
circumstances around it should be able to clearly dictate that one is
needed, and why, and what type of DMZ. I believe I could go most all of my
career before I retire and not ever need to create a DMZ,..or at least very
few of them.

If I did, it would probably be a Back-to-Back DMZ and the machine(s) in the
DMZ would have extremely limted communication to the LAN. But even then I
could do the same with an Edge Firewall and have the Public Server on the
Public Network and do the same thing,..the only difference would be the
level of protection given to the Public Server,..the LAN would be no
different.

If I am off base on this anyone is welcome to "slap me straight" on it.
That's no problem.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------


.

Relevant Pages

  • RE: fedora-list Digest, Vol 6, Issue 266
    ... Re: OT: Setting up a forwarding mail domain in DMZ without ... Re: Sound Problem ... downloaded the yum.conf for fedora from Redhat's website. ... Server: Fedora.us Extras ...
    (Fedora)
  • RE: Webserver on a DMZ still needed?
    ... OWA server. ... Webserver on a DMZ still needed? ... It is still recommended to have your exchange box (and any other outward ... to interact securely with the Domain Controller on the secure subnet? ...
    (Security-Basics)
  • Re: SBS2000 and a DMZ
    ... The whole purpose of the DMZ is to prevent this ... in order to keep it secure and do what you need to do. ... The Win2k3 server can probably be safely inserted on the SBS domain and only ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: DMZ Novice
    ... So if a DMZ isn't the right setup, ... I also have a seperate server that runs SQL Server for our main ERP. ... and how I can grab the data from the SQL server in real time (or close to ...
    (microsoft.public.isa)
  • Re: Securing SQL
    ... How does having a 2nd dmz make it more secure ... >>access a SQL server. ... >>file replication or in the dmz and open up the firewall for sql traffic. ... > connections be established from your LAN to the DMZ. ...
    (microsoft.public.windows.server.security)