|
-
December 29th, 2005, 10:05 PM
#6
It's really pretty simple as a concept. The DMZ is a partially secured network in that it, by it's nature, must allow public access to it's resources. Other than that which must be allowed into the DMZ from the public network and that which must be allowed in from the private network everything else should be locked in either direction. Thus the following:-
On the Public Interface
Allow SMTP from Any to DMZ
Allow HTTP from ANY to DMZ
Deny Any from Any to DMZ
Deny Any from Any to Private
On the Private Interface
Allow HTTP from Private to Public
Allow HTTP from Private to DMZ
Allow POP3 from Private to DMZ
Allow SMTP from Private to DMZ
Allow FTP from Private to DMZ, (to update Web Page)
Allow [SMTP Management Port] to DMZ
Allow [Whatever else you need] From Private to Public
Deny Any from DMZ to Private
Deny Any from Private to DMZ
Deny Any from Private from Public
You will note that nothing is allowed to the Private from the DMZ. IOW, any traffic _from_ the DMZ to the Private network is blocked. Only connections initiated from within the Private network on specific ports can be created. Same applies to the Public network.... Nothing can initiate a connection from the Public to the Private and only certain connections can be initiated from the Public to the DMZ to allow those services you provide publicly to function.
In this way you ensure that compromising the Private network is as difficult as possible since you treat the DMZ in the same way you treat the Public network..... _un_-trusted!
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote