Re: DMZ and file sharing
- From: "Jonathan Davey" <me@xxxxxxxxxxxxxxx>
- Date: Mon, 10 Jul 2006 20:37:03 +0100
DMZ is DeMilitarized Zone, in other words your open to everyone and
everything!!
Never ever use DMZ, a) its an open unlocked door with a big sign saying your
out at the shops and b) Its totally not needed.
We dont know if Mr Byrns is running the Web Service on his SBS or another
server!
"Joe" <joe@xxxxxxxxxxxxxx> wrote in message
news:OHam86EpGHA.4116@xxxxxxxxxxxxxxxxxxxxxxx
"JosephByrns" <josephbyrns@xxxxxxxxx> wrote in message
news:%23Iw642ApGHA.4188@xxxxxxxxxxxxxxxxxxxxxxx
I have my WebServer connected to the DMZ port of a firewall. I have a
number of asp.net applications running on the webserver that need to
save/retreive files to/from a restricted area on the LAN. What is the
best/safest way to do this? Mapping a network drive, or something
else?
Jonathan Davey wrote:
Im not an expert but am interested in your question; why use DMZ, would
it not be better to simply forward or open port 80 to your webserver?
I have a number of webservers, SP-Sites, FTP sites and custom
applications. I have 3 ADSL connections and numerous external DNS
records. I dont have DMZ enabled on any of my gateways!!
Because a compromised business computer is a mandatory reformat and
reinstall job, which is no fun on your network's domain controller
and only server. That's assuming no actual damage is done, which is
unlikely. With SBS, all the eggs are in one basket, and you simply
cannot allow it to be dropped. You cannot use it as a public web
server or even allow such a server unrestricted network access to
it. Hence the DMZ. If you've never lost a web server, count yourself
lucky and make sure you have a plan in place to rebuild your network
when it happens.
To Mr Byrns: there's no simple answer to this. It depends exactly
what your applications do, whether they read or write, whether to
file or database, whether the data is tied tightly to the LAN or
mainly freestanding, whether the data is intrinsically valuable or
only of value to the owner, whether it's the only copy, etc.
You need to consider the safety of the LAN when the web server gets
compromised. Whatever access the web server has to the LAN, so will
the cracker. And he'll have a nice local platform to work from. In
principle, data should be pushed to and pulled from the web server,
rather than the other way around. As long as something inside the
firewall initiates the transfer, the firewall itself doesn't have to
have extra holes drilled in it. The whole point of a DMZ is that if
the bad guys get into it, they can't go any further.
Mapping drives is simply not an option. To allow that, you need to
open Windows file sharing through the firewall, and you might just
as well not bother with a DMZ.
Email is a reasonably common way for servers to communicate.
Sensitive data can be sent encrypted, hashing can be used to detect
tampering, the two machines do not have to communicate directly but
can use mailboxes anywhere. Always treat data recovered from a web
server with suspicion, as even if the box is still secure, many
methods of user interaction with web servers can be used to upload
malicious content. Never redisplay information on a web page which
someone has entered through a form or by GET or POST, without de-
lousing it first. And so on...
OK, so I'm paranoid. I'm happy that way. And uncracked.
.
- References:
- DMZ and file sharing
- From: JosephByrns
- Re: DMZ and file sharing
- From: Jonathan Davey
- Re: DMZ and file sharing
- From: Joe
- DMZ and file sharing
- Prev by Date: RE: OMA - Unable to connect to your mailserver eventid:1805 error 400
- Next by Date: Roaming profiles with different languages
- Previous by thread: Re: DMZ and file sharing
- Next by thread: Re: DMZ and file sharing
- Index(es):
Relevant Pages
|
