RE: Re: DMZ design - Exchange, SQL, & DCOM

[jan.schultheiss () ubs com]

Hi Mike

> Jan Schultheiss wrote:
> > Mikael Olsson wrote:
> > > The reason for the separate DMZ is that you don't want to expose
> > > your mail forwarder to your web server.
> >
> > Another possibility is to use "secure" switches. There is a 
> switch from Bay
> > (i.e Nortel) that allows you to configure on a port basis 
> which devices are
> > allowed to talk to each other. 
>
> Yes, this would work.
>
> But does your switch do logging and alerting when your web
> server tries to hack your mail server?

All traffic would have to pass the firewall where you could do the logging and 
alerting. The only task the switch has to do is to allow communication between 
the firewall and the systems in the DMZ. However, the systems in the DMZ 
(although logically on the same network) would not be able to talk to each 
other.

> It'd be damn nice to see evidence of when you're web server
> has been hacked so you know when to go reformat and reinstall
> it :-) (And, hopefully, see what the hell went wrong and secure it)

It would be even nicer when you got alerted when you're systems are under 
attack ;-) But on heavy loaded web site this is an entirely different issue.

Jan