Solved

Adding DMZ Servers to internal domain

Posted on 2011-02-17
5
385 Views
Last Modified: 2013-12-23
Howdy,

Quirky question - currently we have our internal domain, a DMZ in its own workgroup, and a
router/firewall connecting the two.  We have ACLs limiting the connectivity between the two,
and I was wondering if that because of those ACLs, if I'd be OK to add our servers in our DMZ
to our internal domain.  I.E., we'd open up traffic on port 389 (LDAP) and port 53 (DNS) and leave
the rest blocked.  Would that cause an absurd lack of security?

Thanks!
Matt
0
Comment
Question by:mhentrich
  • 3
  • 2
5 Comments
 
LVL 4

Accepted Solution

by:
mansmanf earned 125 total points
ID: 34920475
No, to get it work properly you need some more:
See here:
http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx

Check the tables and decide what services / ports you need.
Then define these on the firewall with the correct source and target IPs
e.g. port 88, 636,3268,3269 (for replication)


http://technet.microsoft.com/en-us/library/bb727063.aspx

My experience is that also port 135, 137,138,139 are necessary because clients try to open authentication sessions etc. via NetBIOS also (first)
Be sure that also DNS (port 53) is working!
0
 
LVL 4

Expert Comment

by:mansmanf
ID: 34920546
It is not a security hole from my perspective if you have clear rules (source-IP, port  => target IP,port)
I would propose to do some monitoring and also spot check on eventlogs, auditing logs....
If this is a *managed* environment, why not.
I assume in this case that the servers in the DMZ (that are accessable from the Internet) are hardened and also monitored?

0
 

Author Comment

by:mhentrich
ID: 34923732
Thanks mansmanf, spot on...help me figure out what you mean by hardened and monitored, though.  We have a monitoring program in place that keeps tabs on disk space, RAM usage, etc. and lets us know if a server goes down.  We also have an IPS on the aforementioned firewall.  What else would you consider neccessary?

Thanks,
Matt
0
 

Author Closing Comment

by:mhentrich
ID: 34923737
Thanks!
0
 
LVL 4

Expert Comment

by:mansmanf
ID: 34923835
A good point to start is Technet, e.g.
http://technet.microsoft.com/en-us/library/cc264463.aspx
Be sure to document what you are doing, then you will be able to revert steps if something is not working any more
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
PIng command and its use 9 125
DHCP setup on Windows Server 2012 11 154
VLAN Tag for chained network device. 11 64
How to best manage folder and file security 4 90
Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This is a video describing the growing solar energy use in Utah. This is a topic that greatly interests me and so I decided to produce a video about it.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now