• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 430
  • Last Modified:

Adding DMZ Servers to internal domain

Howdy,

Quirky question - currently we have our internal domain, a DMZ in its own workgroup, and a
router/firewall connecting the two.  We have ACLs limiting the connectivity between the two,
and I was wondering if that because of those ACLs, if I'd be OK to add our servers in our DMZ
to our internal domain.  I.E., we'd open up traffic on port 389 (LDAP) and port 53 (DNS) and leave
the rest blocked.  Would that cause an absurd lack of security?

Thanks!
Matt
0
mhentrich
Asked:
mhentrich
  • 3
  • 2
1 Solution
 
Fridolin MansmannMaster of Business Engineering ManagementCommented:
No, to get it work properly you need some more:
See here:
http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx

Check the tables and decide what services / ports you need.
Then define these on the firewall with the correct source and target IPs
e.g. port 88, 636,3268,3269 (for replication)


http://technet.microsoft.com/en-us/library/bb727063.aspx

My experience is that also port 135, 137,138,139 are necessary because clients try to open authentication sessions etc. via NetBIOS also (first)
Be sure that also DNS (port 53) is working!
0
 
Fridolin MansmannMaster of Business Engineering ManagementCommented:
It is not a security hole from my perspective if you have clear rules (source-IP, port  => target IP,port)
I would propose to do some monitoring and also spot check on eventlogs, auditing logs....
If this is a *managed* environment, why not.
I assume in this case that the servers in the DMZ (that are accessable from the Internet) are hardened and also monitored?

0
 
mhentrichAuthor Commented:
Thanks mansmanf, spot on...help me figure out what you mean by hardened and monitored, though.  We have a monitoring program in place that keeps tabs on disk space, RAM usage, etc. and lets us know if a server goes down.  We also have an IPS on the aforementioned firewall.  What else would you consider neccessary?

Thanks,
Matt
0
 
mhentrichAuthor Commented:
Thanks!
0
 
Fridolin MansmannMaster of Business Engineering ManagementCommented:
A good point to start is Technet, e.g.
http://technet.microsoft.com/en-us/library/cc264463.aspx
Be sure to document what you are doing, then you will be able to revert steps if something is not working any more
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now