Adam & Adam,
Just some points of clarification (inline), where the trains might be
passing in the night...
On Oct 19, 2005, at 11:18 AM, gmx wrote:
Hello Adam,
Well, let me try to help you by explaining you my point of view :
to 1 :
A host which has access to internal network, should not be placed in
the DMZ, what should be the purpose of having a DMZ then ?
Immagine, you will have to configure the (inner) router to allow
inbound trafic from that host, so if it is getting compromissed, you
allow an attacker full access to internal network, and all he has to
do is to enter the DMZ.
You are not giving the DMZ host complete reign to the internal
network. You have allowed specific ports to specific ports and
ideally specific systems. Even if the DMZ host is compromised
through the DMZ it does not necessarily mean the internal host can be
compromised as well.
to 2:
Mail server could be in there, if you configure that one properly you
can runt it on the bastion host.
Antivirus server ... no way ... antivirus update server... no way.
Immagine that someone would be able to compromit that machine, and
replace your antivirus updates with malicious code, or change
components of antivirus software itself, that coudl compromit your
whole internal network.
This should really be a question of risk tolerance and local
policy. Should one choose to use the auto update to a host
("distribution server") that the rest of the "clients" talk to, them
putting it a DMZ makes the most sense (i.e., tiers for additional
protection). The communication from the distribution server can be
limited to the the vendor's IP only and it can be locked down to just
communicate to specific internal servers for further distribution.
--ron
Just my 2 cents. Enjoy.
regards,
Adam Pal
Wednesday, October 12, 2005, 1:10:08 PM, you wrote:
<==============Original message text===============
AT> I have a few questions I have about dmz internal and external
networks
AT> that I need help with.
AT> 1 if you have a host such as citrix that must have access to the
AT> internal network does that sit on your DMZ?
AT> 2 antivirus mail gateway servers / Antivirus update server does
that
AT> sit on your DMZ ?
AT> 3 a squid proxy that internal hosts access
AT> with the examples above do I place the hosts on the DMZ and then
AT> modify firewall rules so that the host has the access they need to
AT> perform as an internal network host? if so how is that
different than
AT> opening up a specific port directed to a specific host on internal
AT> network for outside world access?
AT> part of my confusion lies in that when I think DMZ I think that
the
AT> host should never touch the internal network and be left out in
the
AT> DMZ alone.
AT> I hope I have stated my questions clearly
AT> thank you for your responses.
AT> /at
<===========End of original message text===========
--
Best regards,
Adam Pal mailto:pal_adam@gmx.net
