>>> On 12/3/2009 at 1:36 AM, a bv <[email protected]> wrote: > i sometimes think that at technical life somebodies trying to fool > me which makes my mind work for garbage sometime. And that mostly > happens when i say my focus is security , everybodies everething > becomes about security. Now our web mail server guys wanted me to > open 80 and 443 port for their mail servers which are on LAN segment > and theyll have people to access to the mail system from web and cause > its https it will be secure? Then what the DMZ is for?! We have > proxies at LAN also. So let me ask you another question. What to put > (what we should) on DMZ , or not . What accesses for the hosts at LAN > can be given outside the world and DMZ?
Having direct HTTP or HTTPS access to your email on the internal LAN is probably a Bad Idea. That is definitely something that would belong in the DMZ if possible. But these things are not always possible. I would also note that direct access to your email from the Internet, no matter the protocol, is a Very Bad Idea if you're just using username-password authentication and not something token, OTP, or at least certificate based. > 2009/12/3 pkc_mls <[email protected]>: >> a bv a écrit : >>> They wanted me to add a access rule for both ways between that host at >>> LAN and whole DMZ subnet for ESP protocol group. At the host sides >>> the owners ( other people from mycompany ) applied ipsec on the hosts >>> as i know. Can you explain in detail for statement inwriting ? >>> Regards >> Sounds really strange. >> As someone already mentionned on the list, you need either 2 gateways or >> one gateway and one vpn client for IPSEC. >> >> if the device in between has already some vpn connection, >> it can be quite hard to have ike or esp go through. >> >> if the need is to secure traffic between a DMZ and the LAN, what's the >> benefit of having already a firewall in between ? >> >> >> Scanned by Check Point Total Security Gateway. >> >> ================================================= >> To set vacation, Out-Of-Office, or away messages, >> send an email to [email protected] >> in the BODY of the email add: >> set fw-1-mailinglist nomail >> ================================================= >> To unsubscribe from this mailing list, >> please see the instructions at >> http://www.checkpoint.com/services/mailing.html >> ================================================= >> If you have any questions on how to change your >> subscription options, email >> [email protected] >> ================================================= >> > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
