We help IT Professionals succeed at work.
Get Started
outgoing licensing validation should be in DMZ or internal/backend zone? What mitigations if none
We have a internal zone server holding financial data.
Users would like to load ACL (Audit Command Language) into it to analyse the data but ACL
requires periodic (think can be daily) connection to Internet (& possibly incoming ports but
I'm not certain about incoming) for license validation.
Q1:
For a server that goes out to Internet, shouldn't it be placed in DMZ rather than internal zone?
Q2:
Or it does not matter for outgoing; it's more for incoming connections (eg: web server) that
needs to be placed in DMZ?
Q3:
If we don't move the server to DMZ, what are the mitigations we can consider?
Let this server connect to a proxy to go out to Internet?
Use firewall to permit it to a specific destination IP for license validation only?
If the ACL component can't go by proxy, but it requires a non Tcp80/non Tcp443,
is this considered safe to permit (without going thru proxy)?
Q4:
If an internal zone server (Prod) goes out via proxy on Tcp80/443, isn't this
akin to a sysadmin being allowed to browse Internet from an internal server
which is risky?
Users would like to load ACL (Audit Command Language) into it to analyse the data but ACL
requires periodic (think can be daily) connection to Internet (& possibly incoming ports but
I'm not certain about incoming) for license validation.
Q1:
For a server that goes out to Internet, shouldn't it be placed in DMZ rather than internal zone?
Q2:
Or it does not matter for outgoing; it's more for incoming connections (eg: web server) that
needs to be placed in DMZ?
Q3:
If we don't move the server to DMZ, what are the mitigations we can consider?
Let this server connect to a proxy to go out to Internet?
Use firewall to permit it to a specific destination IP for license validation only?
If the ACL component can't go by proxy, but it requires a non Tcp80/non Tcp443,
is this considered safe to permit (without going thru proxy)?
Q4:
If an internal zone server (Prod) goes out via proxy on Tcp80/443, isn't this
akin to a sysadmin being allowed to browse Internet from an internal server
which is risky?
Why Experts Exchange?
Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.
Jim Murphy
Programmer at Smart IT Solutions
When asked, what has been your best career decision?
Deciding to stick with EE.
Mohamed Asif
Technical Department Head
Being involved with EE helped me to grow personally and professionally.
Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question
Connect with Certified Experts to gain insight and support on specific technology challenges including:
- Troubleshooting
- Research
- Professional Opinions
Did You Know?
We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE