• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 621
  • Last Modified:

Would a Multi-Homed W2K3 Server Placed in DMZ Comprimise LAN Security?

Super tight budget, approved to add only 1 server to W2K3 A.D. based LAN protected by Cisco PIX 515 FW.

To maximize the value of the new W2K3 Server, I would love to be able to use it for more than just a Web & FTP server in the DMZ because the internal LAN could well use another file server and I also need another LAN based Windows server to install M.S. Live Communication Server on as well.

My question is: From  security standpoint would it be foolish to put 2 NICs in the new Windows Server 2003 system to connect it to both the DMZ and the internal LAN simultaneously?  

My thought is the multi-homed configuration would allow the computer to be the Web & FTP server to the outside world while LAN clients could also utilize it as File Server & M.S LCS server belonging to the A.D. domain.

My fear is multi-homing a Windows Server in this way possibly defeats the security isolation now present between public (DMZ) & private (LAN) subnets provided by the PIX Firewall should an outsider mis-use the HTTP or FTP access to the new Windows server to hack into it?
0
dealvis
Asked:
dealvis
3 Solutions
 
stronglineCommented:
I don't want to do that, for sure. And you've had the answer.

Compromise of the server means compromise of your LAN.
0
 
PowerITCommented:
Your fear is warranted.
When the server is compromised then the next step would be your LAN.
You would indeed nullify the DMZ.
The only justified scenario that I'm aware off where this is done is in IDS: putting an IP-less probe in the DMZ.

J.
0
 
lrmooreCommented:
Agree with all above. It would certainly defeat the purpose of having the server isolated in a DMZ. You might consider taking an old PC, loading up Linux for your WWW/FTP server, and move this Windows server into your inside network.

Think about it this way - Windows is the most insecure operating system, and the most attacked operating system in the world. It just doesn't make sense to put your border security in the hands of swiss cheeze that has to be patched every month.
Microsoft does not sell routers for good reason. Windows can route between interfaces,  but will never have all the functions and features and security of a real router.
Microsoft doesn't sell firewalls. Yes, some will argue that ISA is a firewall, but it is still a software application that rides on top of the swiss cheese operating system.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now