PaulDotCom mailing list archives
DNS access from DMZ
From: arch3angel at gmail.com (Arch Angel)
Date: Tue, 2 Dec 2008 02:59:37 -0500
What is the main driving force for this design of having an enterprise cloud that houses inside itself a cloud of a trusted network that has hanging off it a DMZ web server? I mean, I understand the security through depth concept, however I am a bit curious as to the purpose of this web server. Is the web sites on this server accessed from parties in the trusted region of this network? Are these web sites accessed from parties outside the enterprise cloud? Are there entries in the internal DNS server required for routing? An example would be, does this web server need to know the route of a database that is internal of the trusted network but is discovered/routed based on a subdomain name such as http://database.domain.com ? My concern would be the fact that you (company not you personally) have placed this server into the DMZ for a reason, ie maybe to share sites to select outside parties. If this is the case I would have to question why it needs to be looking backwards to internal trusted side for anything. Now if the internal trusted parties need to access this server to interact with the website it is hosting that is another thing, just create a route that allows users of this server to use the DNS that is secured within the trusted network to be resolved to an IP that is then routed via the routers and switches. The internal users can still see the domain in the URL. If the web server does not have any real reason to communicate backwards then why not consider using the North American DNS servers to resolve items out on the intertubes. I guess I am more concerned about the need to communicate from a DMZ'ed device backwards to a trusted cloud, going back to the question of why was it placed into DMZ if it still had such a requirement to use resources inside the trusted network. If I was in your shoes I would not feel comfortable looking back internally for any reason, and as such I would find a way to use external DNS servers such as the North American DNS servers which are public and avoid any chance of a compromised web server having a host file full of devices or worse yet a clean path back into the trusted cloud. Robert Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20081202/8244c569/attachment.htm
Current thread:
- DNS access from DMZ Albert R. Campa (Dec 01)
- DNS access from DMZ Paul Asadoorian (Dec 01)
- DNS access from DMZ Mike Patterson (Dec 01)
- DNS access from DMZ Tim Krabec (Dec 01)
- DNS access from DMZ Albert R. Campa (Dec 01)
- DNS access from DMZ Arch Angel (Dec 01)
- DNS access from DMZ Mike Patterson (Dec 01)
- DNS access from DMZ Paul Asadoorian (Dec 01)