[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Best Practice?!
Another option is to have a nt domain or domains in the dmz(s). I do not like the thought of using username and passwords that are the same as internal. You can establish one way trusts with your internal nt domain so that the dmz(s) domain(s) trust the internal but not the other way around. I agree DMZ gives the impression of "one area" and I tend to talk about the "demilitarised zones" I have, plural rather than singular. This of course all goes out the window if you are just securing internally. -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Sunday, 14 January 2001 5:07 PM To: Ivan Fox; fw-wiz; fw-1-mailinglist (e-mail) Subject: RE: [FW1] Best Practice?! [snip] In reply to #1, I would not have member servers in DMZ unless absolutely necessary. I guess it depends on your definition of "DMZ". If you mean a network segment that is completely exposed to internet without any rules etc, then I would suggest not running ANY servers there. Lots of these SOHO "firewalls" have no rule base and DMZ is just wide open. If DMZ means a network segment that has "some" access to the internet and rules defining service availability, then you might be able to run a bastion host that actually does NLTM authentication to your domain but you should be extremely carefull how this server is setup and be very carefull to ensure that if/when it gets compromised it is detected quickly and there should be a means to quickly restore it to it's proper state. This means running software like tripwire/intact, rembo, etc etc. If DMZ means a network segment that is secured but has no access to the internet and is only used for internal security purposes, then allowing it to be a member server is less of an issue. I don't know if I like the term DMZ. I prefer to call them "legs" and they may be seperate network segments/vlans with rules defining their allowed traffic, authentication etc. You might have 3 legs, 5 legs or more depending on what your situation is.. [snip] *************************************************** This e-mail is not an official statement of the Waikato Regional Council unless otherwise stated. Visit our website http://www.ew.govt.nz *************************************************** ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|