The problem with a multi-homed solution is that if somebody were to compromise the ftp server, they gain unfirewalled access to your local network.
How? Use the compromised ftp to install a telnet server listening on a port (maybe one that 'calls home' to get through the DMZ firewall instead of a vanilla telnet, but not difficult). Now your bad-guy has unfirewalled access to the LAN. Easy attack #2 - install a packet sniffer that looks for interesting packets and periodically emails the sniffs, to some anonymous hotmail account (or just as a file available for download on the ftp server). etc. -----Burton -----Original Message----- From: Jennifer Fountain [mailto:[EMAIL PROTECTED]] Sent: Friday, February 14, 2003 1:42 PM To: [EMAIL PROTECTED] Subject: Question about dmz security I need an opinion on a current design implementation in place. We have an ftp server sitting in our dmz. This box has two nics - one is plugged into the dmz hub and one is plugged into our network. I think this is a security risk and we should just allow internal users access to the box via the firewall by opening the port instead of having dual nics. they do not see a security risk. maybe i am just too new at this and need some education. what is the "best" way to implement this configuration? Thank you Jenn Fountain
