Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
574
Views
0
Helpful
1
Replies

DMZ Policies

richarddowna
Level 1
Level 1

‎04-23-2011 02:36 AM - edited ‎03-04-2019 12:09 PM

Hi there,

I am currently setting up a DMZ for webhosting.

I just want to talk about my current setup and see what you guys think. Is it correct? Could it be better?

Currently,

DMZ has no contact to General Network

DMZ cannot even ping its gateway (is this bad? I can confirm the hosting does work, or is this working as it should be for a DMZ?)

DMZ has port 80 open

General Network cannot ping its gateway (is this bad? or good?)

General Network can ping and has full access to the DMZ Server

General Network has no incoming ports open

Router Cannot ping any networks at all.

Router Can ping internet IP addresses.

Is this odd behaviour for the router? Or is this what is wanted for a DMZ router?

Opinions / ideas appreciated!

Thanks

Labels:
0 Helpful
1 Reply 1

hobbe
Level 7
Level 7

‎04-23-2011 06:09 AM

Well this is a big subject so ill have to give you a big answer, sorry.

This is how I see things. Other see it differently.

First of all security is always a trade off.

example:

Dependant on where you are and what you are doing it might be a good idea to let computers ping.

The good side is that its easier for the users to do some testing themselves if there is a problem, the bad side is that an agressor might attack or hide information inside the icmp packets.

which is more important to you and your organization ?

Second of all almost no one is willing to pay for "ultimate" security.

and to be honest its seldom worth "ultimate" security

its always cost vs cost, ie the cost of defenses vs the cost of cleaning up.the damage/s.and the risk of it happening.

Third it is always a knowledge game.

So now to what I think is wrong with your solution.

First of all what is a dmz ?

A dmz for me is a place where I collect all the servers that needs to communicate with fx the Internet.

however that does not mean that I collect all servers on the same dmz.

if possible I choose one dmz per server type.ie one for www, another for FTP and so on.

why ? every server has its weak points, the fewer in a network the better. if one agressor succeeds in getting a foothold in one of the servers that server will be the bridgehead of the attack, they know everything that server is able to see and attack. If there are no stops between the attacked server  and the rest of the servers on that network its most likely fairly easy to get the rest of the servers on that network and now the agressor most likely have good bandwith towards attacking all other servers on that network.

so separate servers as much a possible.

if you can not set them on different dmz, then try protected ports so that the servers can not se eachother.

why is it not good enough with just access-lists in the switch ? well not every protocol the servers use is ip, and the access-lists only stops ip.

as always, you do not want the servers of the dmz to initiate contact inwards if you have a choice.

use the switch to check for unusual traffic if need be isolate the server when in doubt.

And last but most certainly not least, log everything.

if there is an incident that will give you invaluable information on what happened how did it happen and what can you do to stop it.

in simple turns, use your imagination and anything you have, equipmentwise to make it harder for the agressor to enable a foothold.

Good luck

Hope This Helps

Message was edited by: hobbe

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card