Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Host placement and DMZ internal/external questions.

from [Adam T] Network Security [Permanent Link]
Subject: Re: Host placement and DMZ internal/external questions.
Date: Sat, 15 Oct 2005 11:01:21 -0400 
Thank you for the reply David.

In the example I gave if I had a antivirus gateway and the antivirus
server for delivering updates to internal clients on the same system
and placed in the DMZ would that be considered bad design / an
unnecessary risk and should be changed?



On 14/10/05, David Gillett <gillettdavid@fhda.edu> wrote:

1 if you have a host such as citrix that must have access to
the internal network does that sit on your DMZ?


 Where are the clients of the Citrix box?

 In general, DMZ systems should not be initiating connections
to the internal network.  Exceptions include VPN servers and
*possibly* a Citrix box for external clients; you might want to
put these in a separate DMZ from public-facing servers like
WWW and email.


2 antivirus mail gateway servers / Antivirus update server
does that sit on your DMZ ?


 The gateway needs to accept arbitrary connections from outside,
so it goes in a DMZ.  The update server might not, since you're
not providing this as a service to the general Internet (are you?),
but if the gateway gets its updates from there, or the vendor
pushes updates to you, then it could go in a DMZ.


3 a squid proxy that internal hosts access


 Does your firewall do stateful inspection?  If not, you may have
to leave many ports open to allow users to do non-PASV FTP.  Better
to leave these open to a proxy in the DMZ than to your internal
network....

David



-----Original Message-----
From: Adam T [mailto:123security@gmail.com]
Sent: Wednesday, October 12, 2005 4:10 AM
To: firewalls@securityfocus.com
Subject: Host placement and DMZ internal/external questions.

I have a few questions I have about dmz internal and external
networks that I need help with.

1 if you have a host such as citrix that must have access to
the internal network does that sit on your DMZ?

2 antivirus mail gateway servers / Antivirus update server
does that sit on your DMZ ?

3 a squid proxy that internal hosts access

with the examples above do I place the hosts on the DMZ and
then modify firewall rules so that the host has the access
they need to perform as an internal network host? if so how
is that different than opening up a specific port directed to
a specific host on internal network for outside world access?

part of my confusion lies in that when I think DMZ I think
that the host should never touch the internal network and be
left out in the DMZ alone.

I hope I have stated my questions clearly thank you for your
responses.

/at
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Host placement and DMZ internal/external questions., David Gillett
Next by Date:  Re: Blocking mass mailings caused by viruses, Rod Barnhart
Previous by Thread:  RE: Host placement and DMZ internal/external questions., David Gillett
Next by Thread:  RE: Host placement and DMZ internal/external questions., David Gillett
Indexes:  [Date] [Thread] [Top] [All Lists]