On 04/03/2013 05:15 PM, Syafril Hermansyah wrote: > Kalau mau pakai DMZ harus minimal 2 buah (satu ke Internet dan yang lain > ke LAN), malah beberapa orang bilang sebaiknya 3 buah karena single DMZ > itu sebenarnya tidak secure dan tidak safe untuk Internet Mail Server, > hanya OK untuk public Web server saja :-) > > http://redmondmag.com/Articles/2005/07/01/Dump-Your-DMZ.aspx?Page=1
Saya copykan yang penting-2x saja ya. --- begin copy --- I believe that DMZs can give you a false sense of security. If you do a thorough assessment of your security architecture, you may well decide you'd be better off just dumping it. ... You can improve the security of your firewall by using a second firewall to implement a back-to-back design, shown in Figure 2. With this design, an external firewall controls the traffic between the Internet and the DMZ. A separate internal firewall controls the flow of traffic between the DMZ and the internal network. Using two firewalls eliminates the single point of failure in the three-legged design. In a three-legged design, a hacker who can bypass the firewall can gain access to the internal network. With a back-to-back design, the internal firewall protects the internal network even if hacker has managed to bypass the external firewall. However, using two firewalls still doesn't solve the fundamental problem of using port-based control of traffic between security zones. Why DMZs Don't Work The DMZ concept relies on firewall rules that allow network traffic to move between different security zones based on IP addresses and ports. Some firewalls add inspection of application-layer filtering to the mix, inspecting application protocols like HTTP. For communications between the Internet and your publicly accessible servers, you have to rely on addresses to define firewall rules; because there is currently no technology that can reliably authenticate computers on the Internet, you have no control over what's out there. A good security design compensates for this lack of authentication by severely restricting and carefully monitoring any traffic from the Internet, because you can't trust any computer you don't control. http://redmondmag.com/Articles/2005/07/01/Dump-Your-DMZ.aspx?Page=2 The problem with IP addresses is that they can lie. They're easily spoofed, and logon requests to a domain controller that appear to originate from your mail server's IP address may instead have come from a computer that's been taken over by an attacker. Similarly, ports aren't reliable indicators of the type of network traffic. For example, port 80 is most often used for Web communications, but there's no guarantee that it isn't used by an attacker to transfer confidential data out of your internal network to a computer in the DMZ controlled by this attacker. http://redmondmag.com/Articles/2005/07/01/Dump-Your-DMZ.aspx?Page=3 When To Keep Your DMZ While there are often good reasons to dump your DMZ, there are still some situations where using one makes sense. The most common one is for servers that accept connections from the Internet but don't need to communicate with your internal network, such as a simple public Web server. Also, if you're using simple protocols and require no computer authentication, DMZs can provide the level of security you need. For example, SMTP relay servers that send and receive e-mail messages but don't store or process them are perfect candidates for placement in a DMZ. ---- Akan lebih baik MDaemon diletakkan (completely) dibelakang firewall atau sejajar dengan firewall (menggunakan 2 NIC, natural firewall). -- syafril ------- Syafril Hermansyah MDaemon-L Moderators, running MDaemon 13.5 Beta B SecurityPlus 4.1.5 Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon. -- --[MDaemon-L]------------------------------------------------ Milis ini untuk Diskusi antar pengguna MDaemon Mail Server. Netiket: http://www.netmeister.org/news/learn2quote Arsip: http://mdaemon-l.dutaint.com Dokumentasi : http://mdaemon.dutaint.co.id Henti Langgan: Kirim mail ke MDaemon-L-unsubscribe [at] dutaint.com Berlangganan: kirim mail ke MDaemon-L-subscribe [at] dutaint.com Versi terakhir MD 13.0.5, SP 4.1.5, BES 2.0.2, OC 2.3.1, SG 2.1.0, PP 2.0.1