Strictly speaking you don't have a DMZ: such a configuration looks like
this:
Internet
|
#----------#
| Firewall |--- DMZ
#----------#
|
Local network
The difference between this and your setup is that with this one there are
six sets of rules which are configurable: Internet > DMZ, DMZ > Local
network, Internet > Local network and vice versa.
The beauty of this system is you can allow http only into the DMZ from the
Internet, and telnet / ftp / http into the DMZ from the local network. Then
you allow most everything from the local net into the Internet (depending on
your security policy: you might want to stop Napster, or if you're
paranoid/extra secure or have a company policy to that effect, you have
everything off and switch stuff on as needed). Most importantly, you then
allow no connections to be initiated from the DMZ or the internet into the
local network.
So if someone hacks into your webserver in the DMZ, they still won't be able
to get into your local network. This is why reverse proxying through a proxy
server is a bad idea: if someone hacks into your webserver they'll
potentially have access to everything on your local network.
-----Original Message-----
From: Kelly Slavens [mailto:[EMAIL PROTECTED]]
Sent: 02 February 2001 15:33
To: [EMAIL PROTECTED]
Subject: Configuration Arguments... In House...
I have a situation where I have a Server, which will host web
content from "Internal" Data to the external world. This Server Needs only
have web services accessible to the outside world beyond our network. Our
current configuration is a Cisco Hardware Nat/Router Packet filter directly
connected to the Internet connection. Connected to that is our MSProx2.0
(Being replaced with ISA Server soon)... One individual wishes to place this
new web server directly behind the NAT alongside the Prox, With a so called
"one way" push only network connection to the internal network. This seems
like a bad idea to me. My suggestion was Place the Web server behind the
prox and use Reverse prox to redirect all web traffic to only this single
internal Web server. This to me seems to be more secure than a second
machine sitting in the DMZ with a connection to the internal network.
I'm new in the Security firewall game so all suggestions and help would be
great... Especial any source's for Best Practices or suggested
configurations. Basically any and all information would be great!
Thanks!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
