Hello Adam,
Well, let me try to help you by explaining you my point of view :
to 1 :
A host which has access to internal network, should not be placed in
the DMZ, what should be the purpose of having a DMZ then ?
Immagine, you will have to configure the (inner) router to allow
inbound trafic from that host, so if it is getting compromissed, you
allow an attacker full access to internal network, and all he has to
do is to enter the DMZ.
to 2:
Mail server could be in there, if you configure that one properly you
can runt it on the bastion host.
Antivirus server ... no way ... antivirus update server... no way.
Immagine that someone would be able to compromit that machine, and
replace your antivirus updates with malicious code, or change
components of antivirus software itself, that coudl compromit your
whole internal network.
Just my 2 cents. Enjoy.
regards,
Adam Pal
Wednesday, October 12, 2005, 1:10:08 PM, you wrote:
<==============Original message text===============
AT> I have a few questions I have about dmz internal and external networks
AT> that I need help with.
AT> 1 if you have a host such as citrix that must have access to the
AT> internal network does that sit on your DMZ?
AT> 2 antivirus mail gateway servers / Antivirus update server does that
AT> sit on your DMZ ?
AT> 3 a squid proxy that internal hosts access
AT> with the examples above do I place the hosts on the DMZ and then
AT> modify firewall rules so that the host has the access they need to
AT> perform as an internal network host? if so how is that different than
AT> opening up a specific port directed to a specific host on internal
AT> network for outside world access?
AT> part of my confusion lies in that when I think DMZ I think that the
AT> host should never touch the internal network and be left out in the
AT> DMZ alone.
AT> I hope I have stated my questions clearly
AT> thank you for your responses.
AT> /at
<===========End of original message text===========
--
Best regards,
Adam Pal mailto:pal_adam@gmx.net
