RE: DMZ Security?

• From: "Joseph" <cismic@xxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Sat, 16 Feb 2002 18:19:29 -0800

My opinions are in line.
Joseph
 
-----Original Message-----
From: Goktug Yildirim [mailto:yildirim@xxxxxxxxxxxxxxx] 
Sent: Saturday, February 16, 2002 6:01 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] DMZ Security?
Importance: High
 
http://www.ISAserver.org
Hello,
 
I have some questions about not a specific problem,configuration or
installation but I am looking for answers of a "WHY?" list. I don't mean
to bother anyone but I cant help myself to look deeper of these
questions. In my opinion these are really important basic questions to
ask yourself before designing an internet/intranet security.
 
1. WHY back-to-back DMZ is more secure than the 3-NIC DMZ?
What is my advantage of buying another license and dealing with lots of
configurations instead of working with 3-NIC DMZ?
Is it only because of isolating the subnets not only with a software
code but also physically? And if it is so, don't we have to trust that
code? If it fails physical isolation saves me really?? Because I have
another failed or ready to be hacked firewall software at the other end!
I like the back to back Internet ==> DMZ ==> WEB SITES ==> DMZ ==>
INTERNAL SITE.  The DMZ creates kind of a sandbox approach to protecting
your site.  By allowing information to enter via packet filters, server
or web publishing rules you can control what enters the DMZ. The nice
thing at this point is that the computers in the DMZ from the external
ISA box are entered in to the local LAT.  The internal ISA box uses the
lat from the external machine as the hostile (fake internet) and that is
then used as the incoming web IP into the internal ISA.  Again via
packet filters, server or web publishing rules you can stop what comes
into your internal net.  Now the Internal ISA machine uses your internal
machines in its own LAT table.  Now what you have is basically 2
networks that have completely different IP address with out much of a
hassle.  INTERNET (216.0.0.0 EXT) ==> WEB SITES (172.0.0.0 LAT) ==>
INTERNAL SITE (198.0.0.0 INT).
 
2. WHY is it a DMZ security violation to have an internal domain member
server in the back-to-back DMZ scenario? If I ask this question in a
very simple way, WHAT is the difference between a hacked member server
and a hacked stand-alone server?
Front-End<->Back-End Exchange 2000 architecture requires the Front-End
Exchange server to be as a member server. Also Microsoft has an article
to deal with this configuration which even lists the desired ports to be
opened. IF this is a DMZ violation WHY MS violates its own firewall
security?
            I keep my EXCHANGE machine in the internal network protected
by 2 ISA servers.  I keep a machine in my DMZ that forwards SMTP mail.
That keeps my exchange machine hidden to the outside world.
 
3. WHY is it more secure to chain the ISA firewalls?
What is security failure or hole if I don't chain the internal and
external firewalls in a back-to-back DMZ scenario?
I'm not sure if it is more secure.  By chaining the firewalls if one
goes offline for what ever reason you still have some level of
protection.
 
4. IF I open a VPN tunnel inside from one of the DMZ server to reach
some of the resources at the internal domain is it a DMZ security
violation or is it better and more secure than creating lots of packet
filters and tons of configuration for that DMZ server?
If I configure a packet filter only for that server and if someone
simulates a IP packet that has the same source IP as the DMZ server's IP
it can reach that specific resource. But if I configure this server as a
L2TP VPN client properly don't I make sure of incoming source exactly?
I've not had a need yet for VPN but will do so in the future and this
would interest me too.
 
5. WHY publishing a server is more secure than putting it in the DMZ?
(comparison of public IP DMZ and private IP DMZ).
What is the difference between ISA server publishing and DMZ server
publishing? When you publish a server it means that someone can open a
session to that server and can exploit whatever he/she wants if it is
possible. Isn't the same for DMZ server publishing? What are the
benefits or losses of publishing a server against DMZ server publishing?
I also can block via filters what I don't want coming into the site via
ISA.
 
 It is basically behind 2 firewalls.  I don't keep any SQL machines in
the DMZ I just keep my web servers.  And I limit the types and numbers
of services running on the macines in the dmz.  They don't belong to any
domain so you can't actually see what computers are located in the DMZ.
 
I know I have to read books and I can find these topics. However, I just
need some push or a start to go further. Answers or comments with one or
two sentences would make this great!
 
Thanks and regards for anyone who even reads these,
 
GOKTUG YILDIRIM
 
 
 
 
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » DMZ Security?
• » RE: DMZ Security?
• » RE: DMZ Security?
• » RE: DMZ Security?

1. Home
2. isalist
3. Archive
4. 02-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---