Solved

Would a Multi-Homed W2K3 Server Placed in DMZ Comprimise LAN Security?

Posted on 2007-03-22
3
603 Views
Last Modified: 2008-05-31
Super tight budget, approved to add only 1 server to W2K3 A.D. based LAN protected by Cisco PIX 515 FW.

To maximize the value of the new W2K3 Server, I would love to be able to use it for more than just a Web & FTP server in the DMZ because the internal LAN could well use another file server and I also need another LAN based Windows server to install M.S. Live Communication Server on as well.

My question is: From  security standpoint would it be foolish to put 2 NICs in the new Windows Server 2003 system to connect it to both the DMZ and the internal LAN simultaneously?  

My thought is the multi-homed configuration would allow the computer to be the Web & FTP server to the outside world while LAN clients could also utilize it as File Server & M.S LCS server belonging to the A.D. domain.

My fear is multi-homing a Windows Server in this way possibly defeats the security isolation now present between public (DMZ) & private (LAN) subnets provided by the PIX Firewall should an outsider mis-use the HTTP or FTP access to the new Windows server to hack into it?
0
Comment
Question by:dealvis
3 Comments
 
LVL 13

Assisted Solution

by:strongline
strongline earned 150 total points
ID: 18776963
I don't want to do that, for sure. And you've had the answer.

Compromise of the server means compromise of your LAN.
0
 
LVL 18

Assisted Solution

by:PowerIT
PowerIT earned 150 total points
ID: 18778086
Your fear is warranted.
When the server is compromised then the next step would be your LAN.
You would indeed nullify the DMZ.
The only justified scenario that I'm aware off where this is done is in IDS: putting an IP-less probe in the DMZ.

J.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 200 total points
ID: 18778838
Agree with all above. It would certainly defeat the purpose of having the server isolated in a DMZ. You might consider taking an old PC, loading up Linux for your WWW/FTP server, and move this Windows server into your inside network.

Think about it this way - Windows is the most insecure operating system, and the most attacked operating system in the world. It just doesn't make sense to put your border security in the hands of swiss cheeze that has to be patched every month.
Microsoft does not sell routers for good reason. Windows can route between interfaces,  but will never have all the functions and features and security of a real router.
Microsoft doesn't sell firewalls. Yes, some will argue that ISA is a firewall, but it is still a software application that rides on top of the swiss cheese operating system.
0

Join & Write a Comment

Suggested Solutions

Synchronize a new Active Directory domain with an existing Office 365 tenant
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now