Bill,
Not knowing the pariculars, I'm assuming you have one firewall, i.e.,
Inet-------FW1------Public/Private Servers
First, there is an intrinsic disadvantage that that only one firewall needs to
be
penetrated to enter local network. A second perimeter protection entity, i.e.,
a router/FW combo with a hub in between for rapid isolation
of targeted servers or just for growth. Also, you can put in a second or third
collection
>machine without disrupting network traffic.
Second, there must be an enforcement point between networks at a different
trust level.
So this configuration would put the public Servers and the internal private
servers at the same
trust level. If they are really different, then your security policy should
enforce that difference.
In addition, Placing public untrusted servers on the same trusted domain
firewall is about as sure a way of getting your internal network compromised
as any. By allowing inbound connections to pass through the firewall to
appointed segments, you are opening up your trusted segments to attack as soon
as a vulnerability is discovered in one of the untrusted segment servers.
Granted the other segments are protected by policy, but considering that the
intrusion or vulnerability of the untrusted segment servers has compromised
the firewall, it is just a matter of time before the other segments go as
well.
In fact, vulnerabilities of protected servers can be used against the firewall
itself. Hence, the actual firewall can be compromised. The firewall is then
useless in trying to minimize the scope of the compromise (what firewalls
where designed to do).
Bill Stewart wrote:
> Hi all,
>
> I am a new Network Admin and have a question about server placement behind a
> firewall. Is it better to place a publicly accessible server on the DMZ
> with a hardened OS or to place it behind the firewall with the appropriate
> ports open? I am using NAT so does this really add another level of
> security? More info: I'm getting a lot of pressure to have this box a
> member of our domain (rather than stand-alone, which I normally do). This
> is going to be a Win2K server running Terminal Services with the firewall
> opened up for RDP (TCP 3389) to the one machine (which is using one to one
> NAT). If the machine is only on the LAN and behind the firewall does the OS
> need to be hardened?
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
