-
I understand... The point is that this site is an ASP one and the data is in a DB in the private network. I think that when they build the file app, they follow the same schema as with the data: Web server building pages in the DMZ and the data in the private network.
I think that the problem is not new, many companies and sites do the same as us, upload and download files by the users. My first suggestion when they ask me was use a file repository in the DMZ using encryption, but I think developers are afraid with the word "ENCRYPTION" ;), and the web server can not store all the data so i don't think that we want spend a public address with a server that it's only storing files...
Have you seen something similar? What did you do?
-
I think i found a solution. I'm going to create a "private DMZ", a network in the public DMZ interface of the firewall but with private addresses. I will assign one of this addresses to the firewall interface and I'll put the file server in this network. So the file server will not be visible from internet directly but the web server will be able to access it even via NBT without compromise my corporate network...
What do you think about this?
-
Sorry I didn't get back to you.... I got distracted by other things and forgot about you...... :o
Yeah, that would work.... Points to consider:-
1. Within the DMZ network all machines need to be locked down as best as possible.
2. On the DMZed document server keep only those documents that are absolutely necessary.
3. Do not allow NBT from the DMZ to the trusted network. This means the DMZ servers will be standalone rather than part of the AD domain.
4. Place Host Intrusion Detection Systems, (www.gfi.com has a free one that I started using recently and seems functional), on all machines in the DMZ.
-
Thak you very much for your advices. I use to do that, except for HIDS that I actually didn't use it before (I'm going there right now) and for AD... I never put servers on the DMZ that uses AD users, but recently I was forced to do that since they ask me to put an OWA (Outlook Web Acces) server which works with the corporate Exchange. You can't even imagine how many services I 've to open from DMZ to internal to keep it going!! :(
Thank you again Tiger!
-
If you run OWA through SSL then put the exchange server on the trusted network and allow port 443 straight through to the exchange server, or, better yet if you can create a VPN through to the trusted network.
Having so many ports required to allow an exchange server to function in the DMZ is just like not having the DMZ if anyone compromises a box in the DMZ.... I would pull it back into the trusted network and allow 443 straight through. It's what I did after looking at it carefully and then looking at my small pile of dollars. My final solution cost me a cheap fileserver that I put in the DMZ that receives the mail via SMTP and relays it to the Exchange server on the trusted network. The only port I have open from the internet to the trusted network is port 443 to the exchange server. Everything else stops at the DMZ.
Yes there are ways to have two exchange servers that communicate via an encrypted, digitally signed tunnel through the firewall but the level of complexity is significant, the cost is more so and even if I did manage to implement it I would never be able to go on vacation..... ;)
-
Yes, maybe it would be better put it back into the trusted and open 443... And now it's the moment since I'm planning to migrate to 2003 and build an NBL cluster for it....
Thanks!
