Henry,
Can you please explain what you mean.
>Mostly; some people call IP masquerading "NAT", in which case no, but
>if its real honest-to-Hoyle NAT'ing, then yes.
Why not use this option is he is using IP MASQ?
Thanks,
Tony
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Henry Sieff
Sent: Wednesday, March 21, 2001 11:22 AM
To: 'Jesse Rink'; [EMAIL PROTECTED]
Subject: RE: Beginners Guide to DMZs ?? Help! (NT domains)
-----Original Message-----
From: Jesse Rink [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 20, 2001 8:50 PM
To: [EMAIL PROTECTED]
Subject: Beginners Guide to DMZs ?? Help! (NT domains)
[SNIP]
>Question #1 - Common sense tells me that all 3 servers using those
>external IP addresses are VERY susceptable to attacks. Without a
>firewall between them and the internet, they are fair game to
>hackers, correct?
Without at least a packet filter, then all the ports which are open on
those servers would be accessible. Without some sort of application
proxy, all the ports would accept whatever input was given to them. So
yes; now, if you spend enough time locking those servers down
according to best practices (and beyond), the danger is minimized, but
I wouldn't rely on this alone.
>Question #2 - Would a good solution be to move all 3 servers to a
>DMZ? I'm not sure if DMZ is the right "term" but this is what I
>mean: Change the IP address all the 3 machines from an external
>public IP address to an internal private IP address which is isolated
>from any used on our LAN (for example, I could use 172.17.30.0/24).
[SNIP]
>Is this a good start?
Fairly good; depends on your security needs. I recommend going to the
Focus-MS area of securityfocus (www.securityfocus.com) and reading the
4 part series on NT network security planning. Good basic theory
stuff. . .
> Now, am I correct in assuming that I would
> also have to use some sort of NAT on the firewall so that when
> requests from the internet could still be resolved to the external
> public IP address, but the firewall would translate that IP address
> to the correct internal private address?
Mostly; some people call IP masquerading "NAT", in which case no, but
if its real honest-to-Hoyle NAT'ing, then yes.
[SNIP]
> Question #3 - I've heard the NT domain used in the DMZ should be
> different than the NT domain used in the internal private network.
> Though, the DMZ can be used as a resource domain if necessary, but
> not the other way around. Can you shed some light?
A "resource domain" is a domain which trusts a "user" domain (where
all the actual users are located). The "user" domain will not trust
the "resource" domain. Thus, if someone is able to bust one on your
web server and execute code as SYSTEM, that code will have a more
difficult time doing anything on your internal domain. This isn't a
guarrantee; once they own your web server, there are ways to use even
a one-way trust to gain access to the internal, but it raises the bar
somewhat.
http://support.microsoft.com/support/kb/articles/Q248/4/86.ASP gives
info on the trust and rights necessary to have the IIS server in a
different domain from the exchange server for OWA to work. I recommend
springing for an SSL certificate for the IIS server; at least your
cleartext passwords (doh!!) will be encrypted at the session level
(you won't be able to use NTLM).
Good luck,
Henry Sieff
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
