?
Solved

Would a Multi-Homed W2K3 Server Placed in DMZ Comprimise LAN Security?

Posted on 2007-03-22
3
Medium Priority
?
617 Views
Last Modified: 2008-05-31
Super tight budget, approved to add only 1 server to W2K3 A.D. based LAN protected by Cisco PIX 515 FW.

To maximize the value of the new W2K3 Server, I would love to be able to use it for more than just a Web & FTP server in the DMZ because the internal LAN could well use another file server and I also need another LAN based Windows server to install M.S. Live Communication Server on as well.

My question is: From  security standpoint would it be foolish to put 2 NICs in the new Windows Server 2003 system to connect it to both the DMZ and the internal LAN simultaneously?  

My thought is the multi-homed configuration would allow the computer to be the Web & FTP server to the outside world while LAN clients could also utilize it as File Server & M.S LCS server belonging to the A.D. domain.

My fear is multi-homing a Windows Server in this way possibly defeats the security isolation now present between public (DMZ) & private (LAN) subnets provided by the PIX Firewall should an outsider mis-use the HTTP or FTP access to the new Windows server to hack into it?
0
Comment
Question by:dealvis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 13

Assisted Solution

by:strongline
strongline earned 450 total points
ID: 18776963
I don't want to do that, for sure. And you've had the answer.

Compromise of the server means compromise of your LAN.
0
 
LVL 18

Assisted Solution

by:PowerIT
PowerIT earned 450 total points
ID: 18778086
Your fear is warranted.
When the server is compromised then the next step would be your LAN.
You would indeed nullify the DMZ.
The only justified scenario that I'm aware off where this is done is in IDS: putting an IP-less probe in the DMZ.

J.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 600 total points
ID: 18778838
Agree with all above. It would certainly defeat the purpose of having the server isolated in a DMZ. You might consider taking an old PC, loading up Linux for your WWW/FTP server, and move this Windows server into your inside network.

Think about it this way - Windows is the most insecure operating system, and the most attacked operating system in the world. It just doesn't make sense to put your border security in the hands of swiss cheeze that has to be patched every month.
Microsoft does not sell routers for good reason. Windows can route between interfaces,  but will never have all the functions and features and security of a real router.
Microsoft doesn't sell firewalls. Yes, some will argue that ISA is a firewall, but it is still a software application that rides on top of the swiss cheese operating system.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question