DMZ server configuration

Unanswered Question
Mar 6th, 2007
User Badges:

I'm a little unsure about how our servers are configured on our DMZ and I want to know if our setup is the best practice or if I'm doing it completely wrong.


We have 3 servers on our DMZ - 2 IIS/webservers, and 1 front end Exchange server. Each server has two NIC cards on them.


One of the NIC cards has an IP address on the DMZ IP space with a default gateway pointing to the DMZ interface of our PIX so that traffic can get back out. The other NIC card has an IP address on our internal network IP space so that it can talk with our domain, and it's directly connected to a switch on the inside network completely bypassing the PIX. This NIC card has no default gateway specified because Windows 2003 server doesn't like it when you have two NIC cards with two different default gateways.


Is this a bad configuration or is this somewhat normal? Thanks for any advice.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Tue, 03/06/2007 - 08:55
User Badges:
  • Green, 3000 points or more

The term is being multi-homed. It's not just Windows 2003, you can't have 2 default gateways period. I would consider it bad security practice. For example, if someone would somehow take control of your dmz machine, they would have direct access to your inside bypassing pix.

Richard Burts Tue, 03/06/2007 - 09:04
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andrew


That is not the way that DMZ is usually done. Part of the normal rationale for DMZ is that devices go into the DMZ which are open to the public. The DMZ allows connectivity from outside and limits connectivity to inside. Therefore if one of the servers in the DMZ is comromised it does not allow the attacker direct access to the inside network. What you are doing in your situation is to provide direct and unprotected access to the inside network.


From a security perspective I would say it was not a good config.


HTH


Rick

abruso Tue, 03/06/2007 - 09:08
User Badges:

Then how do I give the servers in the DMZ access to servers on the inside network? The developers keep telling me that their web apps need to be able to access the domain for the SQL server connections, etc..

acomiskey Tue, 03/06/2007 - 09:11
User Badges:
  • Green, 3000 points or more

You need an access-list written to allow traffic in interface dmz and also a nat rule.


access-list dmz_access_inside permit tcp host host eq 1433

access-list dmz_access_inside deny ip

access-list dmz_access_inside permit ip any any

access-group dmz_access_inside in interface dmz


static (inside,dmz) netmask

or

static (inside,dmz) netmask 255.255.255.255

Actions

This Discussion