Solved

Would a Multi-Homed W2K3 Server Placed in DMZ Comprimise LAN Security?

Posted on 2007-03-22
3
607 Views
Last Modified: 2008-05-31
Super tight budget, approved to add only 1 server to W2K3 A.D. based LAN protected by Cisco PIX 515 FW.

To maximize the value of the new W2K3 Server, I would love to be able to use it for more than just a Web & FTP server in the DMZ because the internal LAN could well use another file server and I also need another LAN based Windows server to install M.S. Live Communication Server on as well.

My question is: From  security standpoint would it be foolish to put 2 NICs in the new Windows Server 2003 system to connect it to both the DMZ and the internal LAN simultaneously?  

My thought is the multi-homed configuration would allow the computer to be the Web & FTP server to the outside world while LAN clients could also utilize it as File Server & M.S LCS server belonging to the A.D. domain.

My fear is multi-homing a Windows Server in this way possibly defeats the security isolation now present between public (DMZ) & private (LAN) subnets provided by the PIX Firewall should an outsider mis-use the HTTP or FTP access to the new Windows server to hack into it?
0
Comment
Question by:dealvis
3 Comments
 
LVL 13

Assisted Solution

by:strongline
strongline earned 150 total points
ID: 18776963
I don't want to do that, for sure. And you've had the answer.

Compromise of the server means compromise of your LAN.
0
 
LVL 18

Assisted Solution

by:PowerIT
PowerIT earned 150 total points
ID: 18778086
Your fear is warranted.
When the server is compromised then the next step would be your LAN.
You would indeed nullify the DMZ.
The only justified scenario that I'm aware off where this is done is in IDS: putting an IP-less probe in the DMZ.

J.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 200 total points
ID: 18778838
Agree with all above. It would certainly defeat the purpose of having the server isolated in a DMZ. You might consider taking an old PC, loading up Linux for your WWW/FTP server, and move this Windows server into your inside network.

Think about it this way - Windows is the most insecure operating system, and the most attacked operating system in the world. It just doesn't make sense to put your border security in the hands of swiss cheeze that has to be patched every month.
Microsoft does not sell routers for good reason. Windows can route between interfaces,  but will never have all the functions and features and security of a real router.
Microsoft doesn't sell firewalls. Yes, some will argue that ISA is a firewall, but it is still a software application that rides on top of the swiss cheese operating system.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question