DMZ zone

[Miha Bernik]

Hi

Is there some kind of 'white paper' explaining about DMZ zone how to
approach??
In our company we're thinking of moving servers into this DMZ zone so I need
to know what does this mean for applications and other services running on
servers and how to reconfigure our LAN

If anyone could give me a hint or some advice what to do I would be very
thankful
We have:

- 2 DC running Windows2000 Standard server
- first is file, application, and backup (DLT) server (running DNS,
DHCP, WINS services)
- second is IIS, application and also backup (DAT) server (running DNS,
DHCP, WINS services)
- 1 Exchange 2000 Server (member server)
- 2 SQL 2000 Server (member server)
- 1 backup Windows 2000 Server running SUS

Thanks
Regards
Miha

 

[Lanwench [MVP - Exchange]]

What's your goal?

The DMZ is designed for computers/servers that need firewall protection, but
don't need communication with anything on your LAN, roughly speaking. An
example would be a public webserver, or a (non-Exchange!) e-mail server that
relays Internet mail to your mail server on the LAN.

If you poke a bunch of holes open between DMZ and LAN you've effectively
destroyed most security provided by the DMZ.

 

[Keith W. McCammon]

Is there some kind of 'white paper' explaining about DMZ zone how to

approach??

I can do it in less than 20 words: A DMZ is a non- or semi-trusted network,
typically separated from the trusted network(s) via a firewall.

In our company we're thinking of moving servers into this DMZ zone so I need
to know what does this mean for applications and other services running on
servers and how to reconfigure our LAN

It means that you need to understand which services your applications and
systems require, and configure the firewall accordingly to allow these
ports/protocols. Note that, in many cases, the number of ports and services
required gets to be so high that there's really not much point in having a
DMZ.

If anyone could give me a hint or some advice what to do I would be very
thankful

Start searching the KB for lists of commonly used ports for MS services and
applications. They're everywhere.

 

[Steven L Umbach]

You only want to put those servers that offer services to the internet in the dmz and
that should NOT include a domain controller. Then there typically is a firewall in
front of the dmz to allow access to only offered services for internet users and in
front of the lan to allow only necessary access between the dmz and the lan. Extra
care needs to taken to harden dmz servers including running bare number of services
and keeping current on critical patches. The links below should help. The white paper
is for Windows 2003, but almost all is the same and it goes into depth about using
ipsec to protect traffic between the dmz and the lan which also minimizes the holes
needed in the firewall. The article about ISA should be helpful, just realize that
you can substitute hardware firewalls instead of ISA, but the protection strategy as
far as segmenting is the same. --- Steve


http://www.microsoft.com/resources/...2003/all/deployguide/en-us/dnsbi_per_sqvp.asp
http://tinyurl.com/2uhfr -- same link as above, shorter in case of wrap.
http://www.microsoft.com/technet/Security/topics/network/firewall.mspx -- refer to
part on enterprises.
http://www.microsoft.com/downloads/...familyid=c2ef3846-43f0-4caf-9767-a9166368434e
http://www.microsoft.com/downloads/...86-A2C8-4C8F-A9D0-A0201F639A56&DisplayLang=en
-- how to harden W2K servers.

 

[Miha Bernik]

thank you all for help and directions

regards
miha