|
About
your question 3. Microsoft recomends differents NT Domains where "DMZ
domain" trust in firewall domain. This topology is recommended because this give
you more security as far as any hacker trying to get into yor DMZ needs to
penetrate through the trust relantionship between this two domains. The
trust relation direction determine one more security level.
i hope
this help.
Miguel
Hern�ndez
-----Mensaje original-----
De:
Jesse Rink [mailto:[EMAIL PROTECTED]]
Enviado el: Martes, 20 de Marzo
de 2001 08:50 p.m.
Para: [EMAIL PROTECTED]
Asunto:
Beginners Guide to DMZs ?? Help! (NT domains)
Please be kind.
I admit to knowing little about firewalls and DMZs
but that's why I'm
here... I know enough to be considered dangerous
(when it comes to
project planning that is).
Here's my situation. I have an
internal LAN which consists of a
private internal network (172.17.17.0/24)
with a Cisco PIX Firewall
between the private internal network and our
direct connection to the
Internet.
LAN-----Firewall-----Internet
We also
have 3 servers which are located between our firewall and the
internet (as
far as I can tell) and they use a PUBLIC external IP
address provided to
us from our
ISP.
LAN-----Firewall------Internet
|
|
Servers
Server #1 - Outlook Web Access server (connects to our
internal
Exchange server)
Server #2 - Internet/Intranet Web
server
Server #3 - Weather Station server
Question #1 - Common
sense tells me that all 3 servers using those
external IP addresses are
VERY susceptable to attacks. Without a
firewall between them and the
internet, they are fair game to
hackers, correct?
Question #2
- Would a good solution be to move all 3 servers to a
DMZ? I'm not
sure if DMZ is the right "term" but this is what I
mean: Change the
IP address all the 3 machines from an external
public IP address to an
internal private IP address which is isolated
from any used on our LAN
(for example, I could use 172.17.30.0/24).
LAN-----Firewall-----Internet
|
|
DMZ
LAN - Internal network address of 172.17.17.0
DMZ -
Internal network address of 172.17.30.0
Is this a good
start? Now, am I correct in assuming that I would
also have to use
some sort of NAT on the firewall so that when
requests from the internet
could still be resolved to the external
public IP address, but the
firewall would translate that IP address
to the correct internal private
address?
For example: If someone from the internet wanted
to access to the
Weather Station server, they would enter in the same DNS
name (or
public IP address) and my firewall should be set to KNOW that
when
requests for that particular IP address is made, to pass that request
to the internal private IP address of the Weather Station server. Of
course, the firewall would also check the port rules to make sure
that
request was valid or inappropriate.
Argh, next
question....
Question #3 - I've heard the NT domain used in the
DMZ should be
different than the NT domain used in the internal private
network.
Though, the DMZ can be used as a resource domain if
necessary, but
not the other way around. Can you shed some
light?
Hmm.. Am I making any sense? haha..
please let me know and keep any
answers as detailed as possible since I
seem to be a bit lost here.
THANK YOU SO
MUCH.
|
