Putting a server in the DMZ

subbass

subbass

subbass

Associate
Joined
14 Jan 2010
Posts
662
Hi,

Is it a bad idea to allow a Windows server in the DMZ to "communicate" with any LAN devices such as a mail server? My thinking is that if said server was compromised then that would just be a pathway to the mail server, right?
 
The point of a DMZ is that there's a firewall between it and the WAN and between it and the LAN. So if it's a web server that needs to talk LDAP for authentication to an internal user directory then you only allow ports 443 and 80 from DMZ to WAN, and the relevant LDAP ports between DMZ and LAN.

So if you need to relay mail then you just open the necessary SMTP port between the DMZ and the LAN. It depends what you mean by 'pathway' - you can't make anything completely secure unless you firewall it off completely from the outside world, but that also doesn't help you run any services.
 
Caged said:
The point of a DMZ is that there's a firewall between it and the WAN and between it and the LAN. So if it's a web server that needs to talk LDAP for authentication to an internal user directory then you only allow ports 443 and 80 from DMZ to WAN, and the relevant LDAP ports between DMZ and LAN.

So if you need to relay mail then you just open the necessary SMTP port between the DMZ and the LAN. It depends what you mean by 'pathway' - you can't make anything completely secure unless you firewall it off completely from the outside world, but that also doesn't help you run any services.
Click to expand...

Very good, sir! :cool:
 
You must log in or register to reply here.
Back
Top Bottom