Re: DNS Subnet question with DMZ

• From: "Hugo Caye" <Hugo@xxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 10 Aug 2001 13:04:31 -0300

Another important concept, is that the output traffic from DMZ to outside world 
should be very limited. For example, if there are an SMTP and an IIS in DMZ, 
let only udp/53 and tcp/25 from DMZ to Internet.
 
If a trojan had installed in a DMZ host (through an overflow attack), the 
malicious outside guy cannot initiate a new connection from your host to him 
using a tcp port. Remember that he cannot use tcp/25 because is in use in the 
DMZ host. I think that RC-2 won't be successful in network like that, at least 
the trojan will fail to open a new connection to outside. 
 
This type of policy (limiting the openning of new tcp connections to outside) 
is difficult (if not impossible) to deploy in the inside interface of the 
firewall.

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: sexta-feira, 10 de agosto de 2001 11:28
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: DNS Subnet question with DMZ


http://www.ISAserver.org


A DMZ provides isolation of your trusted network from your "publicly-available" 
servers"  Some like to think of the DMZ as the "sacrificial lamb", and to a 
degree it is.  The general idea is that if someone wants to trash something, 
let it be in the DMZ.  By the same token, if someone were to trash your DMZ 
server, they still don't have direct access to the trusted LAN.

Jim Harrison
MCP(2K), A+, Network+, PCG


----- Original Message ----- 
From: Jay 
To: [ISAserver.org Discussion List] 
Sent: Friday, August 10, 2001 7:18 AM
Subject: [isalist] Re: DNS Subnet question with DMZ

http://www.ISAserver.org


Is there a benefit of putting E2k (or any server) on DMZ, over just publishing 
it from internal net?
 
 
 

----- Original Message ----- 
From: Jim Harrison 
To: [ISAserver.org Discussion List] 
Sent: Friday, August 10, 2001 9:38 AM
Subject: [isalist] Re: DNS Subnet question with DMZ

http://www.ISAserver.org


Unfortunately, the best you can do for the DMZ server is a single IP with the 
set you're given.
Since the DMZ in a three--homed ISA is a subnet of the external subnet, you 
have to use a /30 mask for the DMZ, giving you only 2 usable IPs; one for the 
ISA DMZ NIC and one left for a server.
Is the Exchange server an E2K variation?  If so, placing it in the DMZ is more 
trouble than it's worth, given the issues related to AD membership across a 
firewall.

Jim Harrison
MCP(2K), A+, Network+, PCG


----- Original Message ----- 
From: cismic 
To: [ISAserver.org Discussion List] 
Sent: Thursday, August 09, 2001 9:51 PM
Subject: [isalist] DNS Subnet question with DMZ

http://www.ISAserver.org



I also posted this to the message boards. Sorry for the duplication.  Just 
thought I'd see if anyone was online tonight with some ideas.

:-)

 

Hello,

 

I'm using 10.0.0.1 for illustration:

 

I have 10.0.0.1/29 (8 IPs, 32 per C)

as my ip address. IP'S .1 and .8 are being used by my ISP.  .7 is assigned to 
my CISCO 776M ISDN router.

 

That leaves me with 5 ip address to use.

2, .3, .4, .5, .6

EXT NIC 1. = .2

DMZ NIC 1. = .3

DMZ servers would be 4, .5, .6

 

If I split those into something like the following

4 sql

5 web

6 DNS

I run out of address and won't be able to place my exchange server in the dmz.

 

and Internal NIC private could be 10.0.1.0

 

Is there another method that will work just as well so I can publish my 
Exchange server?

 

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jschwarzkopf@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
Hugo@xxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 

Other related posts:

• » DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ

1. Home
2. isalist
3. Archive
4. 08-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---