Re: DHCP and web server in a DMZ or should we publish from the private network
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sat, 29 Dec 2001 20:30:11 -0800
You need to step back a second and decide on your security model.
1. DHCP in the DMZ is a randomizing thought; ditch it.
2. separate subnets for only two servers is over-designing
How many clients (internal and external) are you serving with the web and
Exchange servers?
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the book!
----- Original Message -----
From: "Brian Harris" <bharris@xxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Saturday, December 29, 2001 16:47
Subject: [isalist] Re: DHCP and web server in a DMZ or should we publish
from the private network
http://www.ISAserver.org
Thanks Jim,
Just as a compromise, how does this sound.
Publish the web server in the normal fashion on the private side.
Place a DHCP server in the DMZ to allow IP addresses to be available to
the public...But do the IP's in a DMZ have to be public, I seem to
remember some notes on this isaserver.org saying due to packet filtering
only available to the DMZ don't use a private subnet???
I can't see the wood for the trees on this one!!
I'm now considering setting up two sites in Active Directory and placing
the web server in one subnet and the private network in another. So NAT
from the external IP to two different internal NICS on two subnets...
I have two servers to publish Exchange 2000 and WWW Server. So one in
each subnet...
Thanks
Brian Harris
>>> jim@xxxxxxxxxxxx 12/29/01 01:12 AM >>>
http://www.ISAserver.org
That depends on whether you're more concerned with:
1. the web server - keeping safe and secure is best served with web
publishing a private-side host
2. the private LAN - keeping it safe is best served by DMZ hosting the
web
server.
HTH,
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the book!
----- Original Message -----
From: "Brian Harris" <bharris@xxxxxxxxxxxxxx><~!B*+R^&>To:
"[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx><~!B*+R^&>Sent:
Thursday, December 27, 2001 20:14
Subject: [isalist] DHCP and web server in a DMZ or should we publish
from
the private network
http://www.ISAserver.org
Hi,
I have a topic that I need some advice on. I have a site (park) that is
open to the general public and they will be able to roam around the site
using wireless technology to log on to the proposed DMZ and will be
issued
with an IP via DHCP and then as they move from one area to another they
will have different information available from a web server in the DMZ.
The wireless side is fine but I'm struggling on whether I need to set
the
web server up in a DMZ or publish it from the private network. My
security experience is smacking me in the face and saying no to the
private side publishing....!!! As users will have valid private IP
address.
Has anyone done any work on this area?
Thanks in advance and this site is great!!!
Regards
Brian Harris
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bharris@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
