Re: Where to place the DMZ zone?
- From: "MikeC" <Nospam@xxxxxxxxxx>
- Date: Fri, 13 Jan 2006 16:56:33 -0800
Phillip,
So, hypothetically lets say you have no DMZ hosting an email bridgehead
(SMTP relay) and/or a set of webservers - you have only internal servers
protected by ISA.
If a hacker were to compromise one of your email or web servers (they are
accessible via the Internet through ISA - DMZ or not) hacker wins, you
loose, game over - Hacker now has access to your internal network via the
compromised email or webserver. That is, the Internet accessible servers
that can be compromised are on your internal network, there is no additional
fence to cross (more FW rules) - unfettered access to all your internal
resources (workstations and file servers) commences...
On the other hand, if you had placed your email and webserver in a DMZ, when
a hacker compromised a DMZ server (since internal servers and workstations
are not directly accessible via the Internet) Hacker would only have limited
access to your internal network. He would only have access to the internal
machines that the DMZ machines have access to - a limited or null set.
Additionally, with a DMZ you would have more time to notice the compromise,
since the hacker now needs to compromise another box - an internal LAN box -
before he has complete access to all your internal workstations and file
servers.
The no DMZ argument is very weak.
MikeC
If the latest bug allowing control of the Exchange server via an arriving
"Phillip Windell" <@.> wrote in message
news:eAOVnS4FGHA.3532@xxxxxxxxxxxxxxxxxxxxxxx
> "Bendji" <Bendji@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:5E1ABCDE-0A83-4499-8BD5-080F9BB654FB@xxxxxxxxxxxxxxxx
>
>> I was just wondering if the ISA did not offer a better security for a
> Web-,
>> terminal-, sharepoint portal server etc and hence the DMZ zone should be
>> there instead of the between the two device's.
>
> I would have the Portal Server on the LAN and would use the ISA to publish
> it out to the Net. I would have no DMZ. I don't think you will ever get
> me
> to admit that I would "need" a DMZ for anything.
>
>> But perhabs there is a security related question/problem if the DMZ and
> the
>> internal is on the ISA?
>
> You must be talking about a Tri-Homed DMZ. I think they are about
> worthless.
> With ISA2004 they are not much more than just another second Internal
> Network with a Routing Relationship and Access Rules between it and the
> original Internal Network. With ISA2000 at least it was effectively an
> additional External Network that was a "stub" network. It was untrusted by
> the LAN and was more thourghly separated from the LAN. But in either case
> I
> don't have much use at all for a Tri-Homed DMZ. If I ever did use a DMZ
> it
> would only be a Back-to-Back DMZ.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
.
- References:
- Re: Where to place the DMZ zone?
- From: Bendji
- Re: Where to place the DMZ zone?
- Prev by Date: Re: Problems with RPC after Win2k3 SP1 install
- Next by Date: Repost: DNS zone transfer and ISA 2004
- Previous by thread: Re: Where to place the DMZ zone?
- Next by thread: Can ISA do ?
- Index(es):
Relevant Pages
|
