Shorewall users - Feb 2002 - Where to place a W2K-terminal-server

Currenty I am working on a firewall using the 
"screened-network-architecture:.

Internet ---> eth0-(firewall-A)-eth1----DMZ---eth0-(firewall-B)-eth2---LAN

To my knowledge a "public" server that can be accessed from the
internet
should be placed in the DMZ. But is this also the right place for a W2K 
terminal-server (part of a windows-domain) which is to be accessed 
from external clients as well as from some clients in the private LAN?

Greetings

AdK.

> Currenty I am working on a firewall using the 
> "screened-network-architecture:.
> 
> Internet --->
eth0-(firewall-A)-eth1----DMZ---eth0-(firewall-B)-eth2---LAN
> 
> To my knowledge a "public" server that can be accessed from the
internet
> should be placed in the DMZ. But is this also the right place for a W2K 
> terminal-server (part of a windows-domain) which is to be accessed 
> from external clients as well as from some clients in the private LAN?
> 
> Greetings
> 
> AdK.
I would probably create a DMZ2 for it. You don''t want it in the zone
with
"public" servers, as if they are compramized, your RAS server will
likely be
too. Considering the fact that the reason for RAS is to access your internal LAN
and probably some outside NET, the rules would likely be very different than the
others in the DMZ. If I were forced to stick to the 3 interface model,
I''d put
it in with the LAN.

Just my .02 worth.... 

Wayne King

/insert witty quote
here/

---------------------------------------------

Mine is on the lan with only port 3389 forwarded to it,
for the terminal-server rdp stuff. Works fine, no messing 
with extra rules for the DMZ<->LAN for the MS domain.

Just my (CDN) .02 worth....

Jerry Vonau



admin@kiteflyer.com wrote:
> 
> > Currenty I am working on a firewall using the
> > "screened-network-architecture:.
> >
> > Internet --->
eth0-(firewall-A)-eth1----DMZ---eth0-(firewall-B)-eth2---LAN
> >
> > To my knowledge a "public" server that can be accessed from
the internet
> > should be placed in the DMZ. But is this also the right place for a
W2K
> > terminal-server (part of a windows-domain) which is to be accessed
> > from external clients as well as from some clients in the private LAN?
> >
> > Greetings
> >
> > AdK.
> 
> I would probably create a DMZ2 for it. You don''t want it in the
zone with
> "public" servers, as if they are compramized, your RAS server
will likely be
> too. Considering the fact that the reason for RAS is to access your
internal LAN
> and probably some outside NET, the rules would likely be very different
than the
> others in the DMZ. If I were forced to stick to the 3 interface model,
I''d put
> it in with the LAN.
> 
> Just my .02 worth....
> 
> Wayne King
> 
> /insert witty quote
> here/
> 
> ---------------------------------------------
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users

The important point to keep in mind with any box that is going to be
Internet-accessible in some way, whether it is wide open, on a DMZ, or
inside, is that it must be locked down as securely as possible.  I think
many people proceed down the DMZ (or "gasp," even internally
accessible
services via port forwarding) path with some dangerous assumptions:  1)
it''s
on a DMZ, so I''m not too as worried about it, or 2) it''s
inside, so my FW is
protecting it.  It DOESN''T-MATTER-WHERE-IT-IS if it is not secure in
it''s
own right.

	Having said that, just decide how comfortable you you are with it
(Windoze?!), how much network complexity you (or it) can stand, and put it
wherever feels good.

.02 more cents worth.

Paul

-----Original Message-----
From: shorewall-users-admin@shorewall.net
[mailto:shorewall-users-admin@shorewall.net]On Behalf Of Jerry Vonau
Sent: Sunday, February 24, 2002 3:41 PM
To: shorewall-users@shorewall.net
Cc: shorewall-users@shorewall.net
Subject: Re: [Shorewall-users] Re: Where to place a W2K-terminal-server



Mine is on the lan with only port 3389 forwarded to it,
for the terminal-server rdp stuff. Works fine, no messing
with extra rules for the DMZ<->LAN for the MS domain.

Just my (CDN) .02 worth....

Jerry Vonau



admin@kiteflyer.com wrote:
>
> > Currenty I am working on a firewall using the
> > "screened-network-architecture:.
> >
> > Internet --->
eth0-(firewall-A)-eth1----DMZ---eth0-(firewall-B)-eth2---LAN
> >
> > To my knowledge a "public" server that can be accessed from
the internet
> > should be placed in the DMZ. But is this also the right place for a
W2K
> > terminal-server (part of a windows-domain) which is to be accessed
> > from external clients as well as from some clients in the private LAN?
> >
> > Greetings
> >
> > AdK.
>
> I would probably create a DMZ2 for it. You don''t want it in the
zone with
> "public" servers, as if they are compramized, your RAS server
will likely
be
> too. Considering the fact that the reason for RAS is to access your
internal LAN
> and probably some outside NET, the rules would likely be very different
than the
> others in the DMZ. If I were forced to stick to the 3 interface model,
I''d
put
> it in with the LAN.
>
> Just my .02 worth....
>
> Wayne King
>
> /insert witty quote
> here/
>
> ---------------------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Ace wrote:
>         The important point to keep in mind with any box that is going to
be
> Internet-accessible in some way, whether it is wide open, on a DMZ, or
> inside, is that it must be locked down as securely as possible.  I think
> many people proceed down the DMZ (or "gasp," even internally
accessible
> services via port forwarding) path with some dangerous assumptions:  1)
it''s
> on a DMZ, so I''m not too as worried about it, or 2) it''s
inside, so my FW is
> protecting it.  It DOESN''T-MATTER-WHERE-IT-IS if it is not secure
in it''s
> own right.
>
>         Having said that, just decide how comfortable you you are with it
> (Windoze?!), how much network complexity you (or it) can stand, and put it
> wherever feels good.
>
> .02 more cents worth.
I know this one''s getting a bit old, but i thought i''d throw
in another AU$0.02
(around US$0.01 :-).

I think Ace/Paul is right in one respect, that if the box is not secure, then
it matters little to that box where it is in the network.  This is especially
true these days, when most exploits are done through externally-accessible
services like HTTP and SNMP.

However, one must consider not only what the risk to that system is, but the
risk of that system being compromised to surrounding systems.  If someone
compromises your basic web server in a DMZ, they can deface your web page, but
that''s about it.  If they compromise your web server which is internal,
they
can compromise your whole internal LAN.

This is why i don''t really like the 1 firewall/3 NIC model for any
sizable
organisation.  It makes the internal network vulnerable to the compromise of
one system: the firewall.  Even if it is more locked-down than systems in the
DMZ, it can still be compromised.  A better model in such situations is one
which has two firewall systems, and a separate DMZ in between: Internet ->
outer guard firewall -> DMZ LAN -> inner guard firewall -> internal
LAN.  This
means that to get to the internal LAN, you have to compromise two firewalls.

Paul
http://paulgear.webhop.net
---
Tom for President!  :-)