Ed,
I stand corrected. I was thinking of NETBIOS over TCP which is not required to access the services mentioned from the Internet but may be required nonetheless for access to the Exchange server for the Outlook Web access piece. Problem is, once you enable them on the interface, they become a potential attack point.
-- Bill Stackpole, CISSP
| Edward Ingram <[EMAIL PROTECTED]>
03/20/01 10:39 PM
|
To: [EMAIL PROTECTED], cc: [EMAIL PROTECTED] Subject: Re: Beginners Guide to DMZs ?? Help! (NT domains) |
Domains do require a domain controller, but do NOT require NETBEUI. TCP/IP alone will work just fine and the only reason to use NETBEUI is for small unroutable networks.
An NT domain can span across subnets so create your new subnet, and leave your domain structure as is. However, you WILL need a WINS server since NETBIOS broadcasts can't cross routers.
----- Original Message -----
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED] ; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, March 20, 2001 8:43 PM
Subject: Re: Beginners Guide to DMZs ?? Help! (NT domains)
Jesse,
Using a third interface in the PIX to create a DMZ will give you better control over the accesses to the external servers including the access you have for the Outlook Web Access. If you have control over the router that connects you to the Internet you can install filters and other security measures there too.
You can use static NAT settings to map the server external address to internal addresses, this is pretty straight forward.
As for your domain question, I'm no NT guru but why would you set the DMZ servers up in a domain? Domains require things like domain controllers and NetBEIU. Services and protocols you don't really need but make great attack targets. Unless there is some kind of authentication or trust you have to maintain why use a domain at all? Less to maintain and less to worry about.
-- Bill Stackpole, CISSP
| "Jesse Rink" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/20/01 06:50 PM | To: <[EMAIL PROTECTED]> cc: Subject: Beginners Guide to DMZs ?? Help! (NT domains) |
Question #3 - I've heard the NT domain used in the DMZ should be
different than the NT domain used in the internal private network.
Though, the DMZ can be used as a resource domain if necessary, but
not the other way around. Can you shed some light?
Hmm.. Am I making any sense? haha.. please let me know and keep any
answers as detailed as possible since I seem to be a bit lost here.
THANK YOU SO MUCH.
