Security Basics mailing list archives
Re: DMZ - Question
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Sat, 27 Oct 2007 02:58:55 +0200
On 2007-10-26 hol64 () hotmail com wrote:
DMZ address range 192.168.x.x Internal LAN 10.x.x.x
Route between those networks, and do NAT only on the router bordering the Internet.
The web server needs to have access to a mainframe. How would you increase security if not with a DMZ?
I already mentioned three possible approaches. 1) Data replication: Replicate the data your webserver needs to access from the mainframe into the DMZ. That way the webserver has access to nothing but the data it needs to access. Disadvantages: replication of large amounts of data takes time, usually no live updates when data on the main- frame changes, updates from the webserver must be pulled. 2) Bastion host: A host that belongs physically to the DMZ, but logically to the LAN. It must be locked down and monitored closely. Laying out the web- server as a bastion host would allow it to be accessible from the outside, but still have access to hosts on the LAN. Downsides: bastion hosts are very critical, because when they're compromised, the attacker has immediately access to the LAN. Therefore they need very much attention (hardening, monitoring of logs, etc.). 3) Second DMZ: Create a second DMZ and put the mainframe into it. Allow access from the first DMZ and the LAN to the second DMZ, but not from any DMZ to the LAN. Dan Lynch elaborated on this quite a bit, so I'll just refer you to his mail for details. Which of the above is most appropriate in your case depends on the particulars of your scenario. For example: using PHP on the webserver would rule out the second option, the webserver updating the mainframe in realtime might rule out the first option, etc. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- DMZ - Question hol64 (Oct 26)
- Re: DMZ - Question Ansgar -59cobalt- Wiechers (Oct 26)
- Re: DMZ - Question Daniel Anderson (Oct 29)
- Re: DMZ - Question Ansgar -59cobalt- Wiechers (Oct 29)
- Message not available
- Message not available
- Re: DMZ - Question kevin fielder (Oct 31)
- Re: DMZ - Question Daniel Anderson (Oct 29)
- Re: DMZ - Question Ansgar -59cobalt- Wiechers (Oct 26)
- <Possible follow-ups>
- Re: Re: DMZ - Question hol64 (Oct 26)
- Re: DMZ - Question Ansgar -59cobalt- Wiechers (Oct 29)