Re: Host placement and DMZ internal/external questions.

[Devdas Bhagat <devdas () dvb homelinux org>]

On 13/10/05 17:34 -0400, Adam T wrote:
> I have a few questions I have about dmz internal and external networks
> that I need help with.
>
> 1 if you have a host such as citrix that must have access to the
> internal network does that sit on your DMZ?

Generally, it is a bad idea to allow connections from zones with lower
security to zones with higher security. Personally, I would say that you
use a VPN and a separate DMZ reachable only from your VPN concentrator
to use Citrix.

world --> Firewall --> DMZ1

users --> VPN conc --> DMZ 2 ---> Internal

> 2 antivirus mail gateway servers / Antivirus update server does that
> sit on your DMZ ?
Your gateway server would be part of your firewall. Block all port
25/tcp requests outbound, except from your internal mailhubs. The
mailhubs relay via outbound mail gateways in the DMZ.

Antivirus update servers should be internal. Alternatively, you _could_
migrate to a non Windows OS and avoid the antivirus all-together.

> 3 a squid proxy that internal hosts access
This would again be part of your firewall, and sit in the DMZ. Have the
packet filter block all outbound requests to the world except those going
to the proxy.

> with the examples above do I place the hosts on the DMZ and then
> modify firewall rules so that the host has the access they need to
> perform as an internal network host? if so how is that different than
> opening up a specific port directed to a specific host on internal
> network for outside world access?
>
> part of my confusion lies in that when I think DMZ I think that the
> host should never touch the internal network and be left out in the
> DMZ alone.
Connections initiated from the DMZ should not go to the internal
network. However, responses to connections initiated from the internal
network should go to the DMZ.

Devdas Bhagat