Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » DMZ with Winroute
  •  
Saschman

Messages: 10
Karma: 0
Send a private message to this user
Hy,
how can I setup a pc as DMZ with Winroute?

Have read somewhere it would work with an extra NIC..How would that be done?

Regards
Sascha
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
Usually you have two nic's (internet, lan). Add an extra nic (dmz). The settings for this dmz nic are the same as for the lan, only the ip segment should be different. In the traffic rules you now can create rules for access to the dmz (access from internet to services hosted in the dmz and access from lan to services hosted in the dmz). Also you can create rules to specify access from dmz to internet and lan.
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
feite wrote on Sun, 25 September 2005 20:49

Also you can create rules to specify access from dmz to internet and lan.

The idea of a DMZ is to provide security. It's a place where you host publicly available services (like webservices) that could get compromised (hacked). You should never be able to travel from the DMZ (from a compromised machine) to the LAN, otherwise you might has well have run the service on the LAN itself.

So a DMZ is indeed attached through an extra network adapter, but the traffic policy should not allow traffic from DMZ to LAN. So for example:

LAN ----> DMZ
Internet ----> DMZ
LAN ----> Internet

Internet --not--> LAN
DMZ --not--> LAN
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
As basic guidelines I agree. But when for example a website uses a database to store orders you should put the database not in the DMZ. In that case you have a specific rule in the firewall to allow access from the webserver to the database.

[Updated on: Tue, 27 September 2005 19:52]

  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
I would cairfully rethink such a setup. Because if a service in the DMZ gets hacked and if through that service the database on the LAN gets hacked as well: your LAN is wide open as if no firewall is there at all.

If there is no other way: ok, sure. But you would need to very pro-actively patch and lock down the machines on the DMZ if your data(base) is valuable... You may even consider placing the database in the DMZ, cause then a least the LAN is still protected.

There is of course no right or wrong way here. All depends on choices: what is more important? Should the database be more protected (inside the LAN) or is the LAN very important (database in DMZ). It's just that I see lot's of networks configured badly. People heard of DMZ's and think "I must get a DMZ" and then stop thinking and entirely defeat its purpose by allowing a lot of (unneccesary) access from DMZ to LAN.

An 'in between' option is to place a second database in the DMZ and sync only the neccesary data from the LAN database. This can be usefull if only a small part of the database is needed in the DMZ. Of course, this syncing should be initiated from the LAN databse, so no incoming traffic from the DMZ to the LAN is needed.

[Updated on: Wed, 28 September 2005 13:07]

Previous Topic: setting up size of attachment to scan for incoming mails
Next Topic: KWF 6.1.2 Policy for AD users not workin' for me :(
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Nov 19 09:54:33 CET 2017

Total time taken to generate the page: 0.00511 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.