> -----Original Message----- > From: Jennifer Fountain [mailto:[EMAIL PROTECTED]] > Sent: February 14, 2003 11:42 > To: [EMAIL PROTECTED] > Subject: Question about dmz security > > I need an opinion on a current design implementation in > place. We have > an ftp server sitting in our dmz. This box has two nics - one is > plugged into the dmz hub and one is plugged into our network. I think > this is a security risk and we should just allow internal users access > to the box via the firewall by opening the port instead of having dual > nics. they do not see a security risk. maybe i am just too > new at this > and need some education. what is the "best" way to implement this > configuration?
The POINT of a DMZ is that a firewall mediates traffic between one or more somewhat-exposed servers and the secured internal network. The private-network NIC on this box is bypassing that, and must be removed. The firewall rules which limit traffic between the DMZ and the private network should not allow servers in the DMZ to initiate connections into the private network, and should restrict the protocols by which internal hosts are permitted to initiate connections into the DMZ. David Gillett
