May 27th, 2004, 04:53 PM
DMZ isnt an open country that anyone can do whatever they want but the security is diferent from that you had applied to internal network.
DMZ "means" that you should allow SOME connection to be inbound (because you are serving someone out there). But all activities on DMZ must be controlled.
DMZ / Corporate network segregation is very good because it makes security manament easier than put all on the same network behind your firewall. I can say that because here its common that small companies (with no money) wants these kind of configuration (all behind, no segregation) and its harder to do than with DMZ segregation.
If you boss think that all ports should be open to DMZ, you may be suggest him to "refresh" his mind (very kindly pls). He is thinking about WAR, not IT
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt.
If I die before I wake, I pray the Lord my soul to brake.
May 27th, 2004, 05:03 PM
I administer my DMZ as a seperate network, with a seperate interface on the firewall and its own network policy. It is not a border, just a different subnet with its own physical topology that makes it easy for me to permit or deny whatever I want with affecting my office users. As a matter of fact, having a DMZ gives me the flexibility of having either tighter or looser security on that segment than on my office segment, depending on my needs.
Yeah, man, this isn't war. That would suck.
May 27th, 2004, 05:26 PM
Okay first: DMZ
(I will type faster next time)
(quick ?: what database system are you using?)
For the Admin account, like posted in an earlier thread, chaning the admin accounts only makes trouble. I doen't matter if you lower the admin status and make a thousand dummy accounts and make a random admin account. If someone can use dos and use the command net localgroup, then they can find it. Just secure everything and you will be fine. Also, on the Admin account make the password big and full of crap. For example Th3D0gC4n7║╚RunRunRun L0pht crack gives up at 8, the best Rainbow table out (that I know of) gives up at 15. So that password will be pretty friggen safe.
For more about your server situation, I need to know what you are using for your database. Thankie and good luck.
I remembered you had a firebox, So I found this. It is just kinda universal, but it will help you understand DMZs a little better:
You shall no longer take things at second or third hand,
nor look through the eyes of the dead...You shall listen to all
sides and filter them for your self.
May 27th, 2004, 05:37 PM
We use Filemaker 6.0 databases. We have a FM server, then all employees use FM on their machines that connects to that server. EVERYTHING goes through FM: account info, e-mail, down to copies of every fax we send out. The data the FM server uses is kept on a separate data server, so the two work together interactively. So, I think that data server is the most important to protect (we back up the crap out of it too). If that were compromised, we'd be in deep poop, since every account, password, e-mail attachment, and measely detail of corporate workings is on there.
May 28th, 2004, 12:00 PM
Any network admin that thinks it's "his network" to run a vulnerability scan on a whim is extremely ignorant. When he knocks the first server offline and thousands of dollars gets lost because he was "just testing", that isn't going to hold up very well with most executives. Pink slip time!!!
Originally posted here by Tiger Shark
Ahem, it's his network to scan.... and he's doing his job.
May 28th, 2004, 12:37 PM
Angelic: Your boss just showed his level of computer knowledge by stating that the DMZ opens a machine to everything. His experience is that of Linksys, D-Link router/firewalls, ie: consumer grade which allows you yo place a box in the "DMZ" so that it is unfettered by the firewall rules. This isn't a DMZ since all packets will be received by the "DMZ"ed machine.
A proper DMZ is made up of, what is really, a separate network. This can be created by having two firewall devices. One controls access to the "half internal" network or DMZ and the other controls access from the "half internal" network, (or DMZ), to the trusted network. Many up to date firewalls have a built in DMZ, (WatchGuard, for example, calls the port the optional port). Rules can be set up for access from the public network to the DMZ, from the public network to the trusted network and from the DMZ to the trusted network. It creates a three network system, public, DMZ and trusted. The control can be extremely granular. Typically, in a DMZ enabled system no access is allowed directly from the public network to the trusted network. Incoming packets are routed to servers in the DMZ and no further, (web pages etc. are served from the DMZ). If packets are required to get to the trusted network then they are first received by a server in the DMZ and then forwarded to a specific server in the trusted network, email is a good example. I employ a "mail sentry" in the DMZ that uses one type of mail server which then forwards the incoming mail to a server on the trusted network that uses a different mail server. Thus, if you want to get to my trusted netwok by exploiting SMTP you need exploits for two different mail servers.
Hope that clears up the DMZ issue. Ask if you need more detail.
Let me start by thanking you for calling me extremely ignorant, that was very nice. I'm a network admin, heck I'm the Manager of Information Systems. It _is_ my network to run scans against whenever I please. I perform random scans and vulnerability checks at will.
Any network admin that thinks it's "his network" to run a vulnerability scan on a whim is extremely ignorant.
If I get pink slipped for knocking production servers offline then the pink slip is for my incompetence _not_ for the fact that I chose to do my job. There's a whole world of difference. If you don't know the potential hazards of a particular tool/vuln scanner you should be using it on test boxes first. If you don't have test boxes then it should be done at 10:30pm on a friday night upon completion of a full backup and verify so that you have the weekend to fix your screw up.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
May 28th, 2004, 02:49 PM
Tiger Shark has a very good point about it being his network to run scans against at will. For you up and coming network admins keep that in mind -- know what you're doing as best you can (so you can restore from backup in case you fudge something), but don't hesitate to do everything you can to KNOW your network, no matter what that requires. Scanning overcomes ignorance.
And even if you are not the admin in charge, networks are run with policies, administrative overhead, and supervisory authority. Find out who's in charge and what the policies are, and then feel free to scan away if it's permitted. Some admins will be more open to this than others, but then you have at least gained that kind of knowledge.
Isn't this one of the primary mantras of this site: knowledge is power?