[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1063
  • Last Modified:

DMZ Design & AD

I need to create a DMZ. I just started with a small company. They have three  seperate physical networks.
They have 15 citrix servers, 2 web servers, exchange servers, FTP and appliication/file servers.
1) They need a DMZ. How would I go about doing it? Which servers go in the DMZ, and how do I set this up?
2) How can I migrate all forests into one forest managed under one AD.
0
anon1m0us
Asked:
anon1m0us
  • 5
  • 5
  • 3
2 Solutions
 
JohnjcesCommented:
A DMZ (DeMilitarized Zone), is generally a NATed Local LAN IP Address that is set in one of your routers whereby all TCP packets are forwarded. Basically, this server is open to anything the Internet has to offer, both good and bad... a vulnerable place to be!

Some routers will allow a LAN segment to be NATed or act as a DMZ Gateway for an entire LAN segment, but it is dependent upon what equipment you are using.

Why do they need a DMZ? What is planned for this DMZ?

I would put nothing in a DMZ unless it was, say a webserver with only port 80 open on it or some other firewall.

John
0
 
anon1m0usAuthor Commented:
We have web servers and sensitive data that we need to protect. We need a DMZ so that only the web servers are in the DMZ and can only access internal apps via 443.
0
 
JohnjcesCommented:
I would not use a DMS. Simple port forward ONLY those needed ports, like port 80 and 443 etc.

JJ
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
anon1m0usAuthor Commented:
We need a DMZ, based on a security audit by a vendor of ours.
Does the Exchange belong in the DMZ? How would people access their mail?

Also, how can I migrate all three networks into one forest?
0
 
JohnjcesCommented:
Is you Exchange server multi-homed?

Can I ask who your vendor is?

A lot of everything you ask is exactly how you get your INternet access, how many public IPs you have and a lot of other stuff.

One thing that might help would be to do a diagram of exactly how you have it setup now and obviously working now.

Start from INternet/WAN/Public IP and work forward.

Maybe someone else can champion a DMZ for your needs, but so far, audit or not, I don't see it unless you can supply mofre info.

John
0
 
feptiasCommented:
In my opinion, the servers in the DMZ should not be part of the AD domain. Only the servers and PC's on the LAN should be in the AD domain. My reasoning is that any computer that is a member of the domain is more trusted than one that is not and the whole point of a DMZ is that it contains servers that potentially should not be trusted - they are in the front line, so to speak, and could be compromised.

I don't agree with the earlier comment that the DMZ should be NAT'd - I think he is describing something that is found on a few models of router/firewall aimed at the domestic broadband market. The NAT decision depends on a few factors: Do you have just one or a small block of static IP addresses assigned to you by your ISP; What are the capabilities of your firewall(s); Finally, it can make a difference how your ISP connects to your firewall/router - in data centres you may be given a single IP address to use on the WAN port of your router and also be assigned a small subnet such as a block of 16 static IP addresses. The 16 static IP addresses will then be your DMZ subnet (14 are useable - one of which is assigned to the router's DMZ port and the rest are used on the servers in the DMZ). The ISP would maintain and publish a routing table that ensures requests from the Intenet to your static IP addresses are delivered to the WAN port of your router.

I would put Exchange on the LAN, not in the DMZ, and then have a simple SMTP mail server in the DMZ which relays your company's inbound mail from the Internet through the firewall to the Exchange server on the LAN. Some people use a spam filtering server for this purpose - it filters out spam and relays mail through the DMZ. Outbound mail could either be sent directly from the Exchange server to its destination, sent via a Smarthost operated by a hosted mail service provider (possibly your existing ISP) or you could send it to the SMTP server located in the DMZ which would then relay it to its final destination. You would need to configure a reverse DNS lookup if using one of your own mail servers (rather than the hosted Smarthost) because mail is often rejected when there is not a valid reverse DNS lookup for the IP address that sent it. Also make sure your SMTP server is not configured to be an open relay - it should only relay inwards to your company's mail domain and outwards should only accept mail from the IP address of your Exchange server.

However, there is one catch to the "Exchange on the LAN, simple SMTP relaying in the DMZ" idea: If remote users need to be able to access the Exchange server from the Internet (e.g. OWA) then you might need to reconsider your strategy. It is not my area of expertise, but you could ask a new question in the Exchange topic area and there will be experts who can advise on this.

The rules on the firewall should prohibit everything inbound Internet-to-DMZ except the destination ports required for the services that must be reached - port 25 for SMTP mail delivery; port 80 for a web server; 20 and 21 for FTP; etc. Rules for access from the DMZ servers to the LAN servers should also be strict and only allow IP traffic through on known essential ports. For example, from the DMZ SMTP server to the Exchange server allow access to port 25 (it is also possible to use a non-standard port for this to give slightly improved security). Rules for outward access are normally much more relaxed - LAN-to-Internet might permit most things through as also you might allow quite a lot for LAN-to-DMZ, but there is no point allowing anything more than is actually needed here.

Here are some links to my old web site that might contain some useful info:
http://www.feptias.co.uk/AdviceFirewallZones1.htm
http://www.feptias.co.uk/AdviceFirewallsGeneral.htm
http://www.feptias.co.uk/AdviceNATExplained.htm

Hope this helps.
0
 
anon1m0usAuthor Commented:
If I create a DMZ and point it to a subnet. How to I know get the communication from the DMZ web servers to the internal network?
0
 
feptiasCommented:
It depends what type of communication you require from your DMZ web servers to the internal network. Do the web servers need to communicate with a file server or an SQL server or what? If it is with a file server, then you must open ports that are required for whatever network access protocol is being used - e.g. NetBIOS, Samba/SMB, NFS, Webdav or whatever it is. If it needs to access a database server, then you would open the relevant ports for whatever brand of SQL server is being used.

I've have tried to give you some design guidance that helps to answer your question (1):
> "They need a DMZ. How would I go about doing it? Which servers go in the DMZ, and how do I set this up?"

I have to say that I am worried by your questions. If you do not have the skills in-house to understand what is required and to configure your firewalls and routers, I think you should consider seeking help from a local network/IT firm or bring in a contractor for a few days. It is not something you would want to get wrong, either at the design stage or implementation. Contributors from Experts-Exchange, like myself, can either give you broad design guidance or we can answer specific questions about technical problems, but you cannot expect to redesign and rebuild the public facing portion of your network, adding a DMZ, better security and consolidating several AD domains into one forest, through one question posted on a forum - even a forum as good as EE!
0
 
anon1m0usAuthor Commented:
Sounds good.
Last question. I know it is stupid, but why do we need a DMZ? Why not just use firewall rules to restrict the internal and external traffic and control that?
0
 
JohnjcesCommented:
"Why not just use firewall rules to restrict the internal and external traffic and control that?"

That is what I have been trying to advise you to do and not use a DMZ unless you have multiple public IPs assigned to you as feptias has pointed out.

Since you stated a "small company" I assummed one Public IP and I will still bet you have just one WAN or Internet/Public IP address assigned to you and not a group of public IPs. Most Q's similar to this are using just that, one IP and everything else is NATed. (An assumption on my part).

I absolutely agree with feptias on everything he stated very well and very clearly.

John
0
 
anon1m0usAuthor Commented:
We have 4-6 public IP's. Would that make a difference?
0
 
JohnjcesCommented:
Depends on how they come in.

As feptias stated...

"Do you have just one or a small block of static IP addresses assigned to you by your ISP; What are the capabilities of your firewall(s); Finally, it can make a difference how your ISP connects to your firewall/router - in data centres you may be given a single IP address to use on the WAN port of your router and also be assigned a small subnet such as a block of 16 static IP addresses."

I really think you need to hire a consultant to help you through this.

Sorry and good luck!

John  - - Out
0
 
feptiasCommented:
"Why not just use firewall rules to restrict the internal and external traffic and control that?"

a) By your own words - "We need a DMZ, based on a security audit by a vendor of ours." You are not the first or the last to be obliged to adjust the design of their network security to meet standards set by a client. Use it as an opportunity to improve your general network design.
b) The DMZ is your outer ring of defences with the LAN as your inner ring. The same principle as some medieval castles which had outer and inner concentric walls. Some servers - like web or mail - have to be directly accessible from the Internet so those go in the DMZ. Workstations and some other servers - like Domain Controllers - do not, so they go in the LAN. Firewalls restrict access between the two zones to the absolute minimum, just as you restrict access from the Internet to the DMZ servers to the absolute minimum needed for them to function.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 5
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now