Re: IP Addresses on DMZ
- From: "Hugo Caye" <Hugo@xxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 31 Jul 2001 14:49:20 -0300
Usually a DMZ is used to be sure that hosts in that subnetwork cannot start new
connections to outside world. Obviously that there are some exceptions, like
SMTP. For example, is it necessary that the Web server that sits on the DMZ
opening new tcp/80 connections to Internet? It seems that the Code Red worm
should never spread if so simple cautions were deployed.
"Good" hackers know the bugs and exploits at least 10 to 15 days in advance.
It's quite impossible to maintain a system 100% updated.
This simple practice (using a DMZ) avoids this type of attacks. Either if an
external host compromise your host, they cannot be used to start attacks to
others, spreading the malicious code.
This restrictive policy applied to DMZ cannot be used to internal hosts (fw
clients), where you let open a great variety of services from the inside
network to outside.
-----Original Message-----
From: Guinn Unger [mailto:geunger@xxxxxxxxxxxxx]
Sent: segunda-feira, 30 de julho de 2001 23:44
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: IP Addresses on DMZ
http://www.ISAserver.org
I have read a good bit of this material, but it gets rather
overwhelming pretty quickly. So suppose we step back 10
paces and ask ourselves what we really want. My ultimate
goal is to have internet access, publish one or two web
servers, publish an Exchange server, and have VPN access
both from our desktops to outside sites and from outside
to our network.
From what I had read, it seemed like a DMZ would be a good
solution, but I'm beginning to wonder. If I go back to our
ISP and ask for a bigger block of IP addresses I feel pretty
certain they are going to balk. They seemed very reluctant
to give us the eight that they did. (It also seems like we
are using IP addresses pretty inefficiently if I need more
than 8 public IP addresses to publish three servers. Oh,
well.)
How much of a security risk would it really be to have our
web servers and Exchange server on our private network?
Does the DMZ really offer that much extra security? If we
keep up with security patches and such, do we really need the
DMZ? I can't imagine that we have very much that anybody
would want on our network except to take over a server for
DOS attacks or something similar. Does that make sense?
Again, thanks in advance for the help.
Guinn
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Monday, July 30, 2001 7:40 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: IP Addresses on DMZ
http://www.ISAserver.org
One problem you have is that with 6 IP's, any further subnetting is limited
to two functional DMZ IPs; one for the ISA DMZ NIC and one for the DMZ
server.
There is some general ISA deployment reading you should do before plunging
headlong into the abyss that is ISA :-)...
http://www.isaserver.org/shinder/tips/getting_started.htm
http://www.isaserver.org/shinder/tutorials/secure_nat_client.htm
http://www.isaserver.org/shinder/tutorials/designing_an_isa_server_solution_
on_a%20_simple_network.htm
http://www.isaserver.org/pages/tutorials/isanetworks.htm
http://www.isaserver.org/shinder/tutorials/dmz_scenarios.htm
and many more in the "Learning Zone"...
Jim Harrison
MCP(2K), A+, Network+, PCG
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
Hugo@xxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
