How might I increase the security and scalability of my DMZ?
A common approach for an attacker is to break into a host that’s vulnerable to attack, and exploit trust relationships between the vulnerable host and more interesting targets. If you are running a number of services that have different levels of security, you might want to consider breaking your DMZ into several “security zones”. This can be done by having a number of different networks within the DMZ. For example, the access router could feed two ethernets, both protected by ACLs, and therefore in the DMZ. On one of the ethernets, you might have hosts whose purpose is to service your organization’s need for Internet connectivity. These will likely relay mail, news, and host DNS. On the other ethernet could be your web server(s) and other hosts that provide services for the benefit of Internet users. In many organizations, services for Internet users tend to be less carefully guarded and are more likely to be doing insecure things.
A common approach for an attacker is to break into a host that’s vulnerable to attack, and exploit trust relationships between the vulnerable host and more interesting targets. If you are running a number of services that have different levels of security, you might want to consider breaking your DMZ into several “security zones”. This can be done by having a number of different networks within the DMZ. For example, the access router could feed two ethernets, both protected by ACLs, and therefore in the DMZ. On one of the ethernets, you might have hosts whose purpose is to service your organization’s need for Internet connectivity. These will likely relay mail, news, and host DNS. On the other ethernet could be your web server(s) and other hosts that provide services for the benefit of Internet users. In many organizations, services for Internet users tend to be less carefully guarded and are more likely to be doing insecure things.
A common approach for an attacker is to break into a host that’s vulnerable to attack, and exploit trust relationships between the vulnerable host and more interesting targets. If you are running a number of services that have different levels of security, you might want to consider breaking your DMZ into several “security zones”. This can be done by having a number of different networks within the DMZ. For example, the access router could feed two Ethernets, both protected by ACLs, and therefore in the DMZ. On one of the Ethernets, you might have hosts whose purpose is to service your organization’s need for Internet connectivity. These will likely relay mail, news, and host DNS. On the other Ethernet could be your web server(s) and other hosts that provide services for the benefit of Internet users. In many organizations, services for Internet users tend to be less carefully guarded and are more likely to be doing insecure things. (For example, in the case of a web server, unauthen
If you are running a number of services that have different levels of security, you might want to consider breaking your DMZ into several “security zones”. This can be done by having a number of different networks within the DMZ. For example, the access router could feed two Ethernets, both protected by ACLs, and therefore in the DMZ. On one of the Ethernets, you might have hosts whose purpose is to service your organization’s need for Internet connectivity. These will likely relay mail, news, and host DNS. On the other Ethernet could be your web server(s) and other hosts that provide services for the benefit of Internet users. In many organizations, services for Internet users tend to be less carefully guarded and are more likely to be doing insecure things. (For example, in the case of a web server, unauthenticated and untrusted users might be running CGI, PHP, or other executable programs. This might be reasonable for your web server, but brings with it a certain set of risks that
