9

So for an assignment, we need to create a scheme (and eventually also the set-up) of a couple of servers in a network.

The 'networks' are:

  1. Internal network
  2. DMZ
  3. The internet

And the servers we need to place are the following:

  1. DNS Server
  2. Active Directory ([multiple] DC's)
  3. MSSQL server
  4. Webserver
  5. MS Exchange 2010 Server, split up in 3 parts: Client side, SMTP, and other functionalities (whatever those may be)

Now I was wondering which of these servers to put in the DMZ <-> internal.

The MSSQL server and AD server(s) should be placed inside the internal network. Of that I am quite sure (? :D).

The webserver and DNS server should be in the DMZ, right? I just dont know why, so any explanations about that would be greatly appreciated as well.

But then there are the three Exchange servers. I have absolutely no clue about where to place which part of these 3. Could anyone give some hints/tips and best practices about (mail)servers?

Also, to route/firewall these networks (internal, DMZ and internet), we use the Forefront TMG.

Any help is greatly appreciated!

voluminat0
  • 193
  • 1
  • 1
  • 6
  • @Adnan, I have no clue where to post this question. The main reason why I ask this question is for security reasons and their best practices. – voluminat0 Mar 01 '13 at 15:14
  • @ValentijnSpruyt there is never any reason to use a full DMZ, just set up a static NAT filter. – lynks Mar 01 '13 at 15:17
  • @lynks, and if the assignments litteraly says to use one, would you put an the client side of the exchange server (POP3, IMAP,Webmail) internally or in the DMZ? – voluminat0 Mar 01 '13 at 15:19
  • 3
    However a good DMZ can aid in demonstrating segregation by risk, so I am pro-DMZ's when they serve a useful purpose – Rory Alsop Mar 01 '13 at 15:19
  • 1
    Join [the DMZ](http://chat.stackexchange.com/rooms/151/the-dmz), it's a fun place to hang out. – CodesInChaos Mar 01 '13 at 16:10
  • Your first step in this assignment should be to find out what a DMZ actually is. Once you know what is, you can then decided if you need it. And dont listen to lynks, there are plenty of reasons to use a DMZ.. For starters, blocking inbound connections from devices in the DMZ to your LAN. Any time you expose something to the Interwebs (in this case the devices in the DMZ), you're putting them at risk. If you leave those devices in your LAN and simply set up "NAT filters" like he suggested, you're potentially putting your whole LAN at risk the second one of those NAT'd machines gets compromised – Safado Mar 01 '13 at 16:26
  • @Safado what you just explained has nothing to do with a DMZ, and everything to do with network segregation. – lynks Jul 15 '13 at 21:22
  • Seriously? Here's a DMZ for dummies link that you could find really useful. http://en.wikipedia.org/wiki/DMZ_(computing) – Safado Jul 17 '13 at 22:58

3 Answers3

13

You put in the DMZ the servers which must be accessed from the outside. Since they are reachable from the external World (which is assumed hostile), these servers are potentially subject to hijack by attackers. The DMZ is a containment area so that a subverted server does not gain immediate access to your most valuable data (which will be presumably kept in the inner network).

Your AD and SQL servers are meant to be used only by machines from your network, not by machines from the outside, so you put them in the inner network. Your Web server is meant to be contacted by external clients, so put it in the DMZ. Similarly, the DNS server which publishes to the outer world your domain (e.g. the IP address of your Web server) is also meant to be accessed from the outside, hence DMZ.

There is no rule without exception. Occasionally, you will need to have some data path from outside to the inner network. Typically, emails come from the Internet but must ultimately appear on desktop systems. You normally want to store the incoming emails in servers which are in the inner network (this is the presumed safest place in your network) but if you run your own SMTP server (for incoming emails), then that one has to be in the DMZ.

It really depends on your exact situation, but the rule of thumb is simple: DMZ is for that which can be contacted from the outside.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
2

Generally the idea is to determine what hardware you trust and what hardware you don't. Things that are highly exposed and don't contain sensitive data don't need to be trusted and can then live outside. If a web server's sensitive data is provided by a DB, then the web server itself can be relatively untrusted, but this breaks down in a lot of cases such as HTTPS where some amount of trust needs to be maintained in the web server and thus it should also be as isolated as possible, though possibly also cut off from the internal network.

The key you are looking at is a combination of how much access is needed externally vs how much risk does that exposure bring to your core network. You are seeking to mitigate that risk by adding additional barriers separating the systems.

Sorry if it isn't an exact listing it out, but hopefully it clears up the concept enough to make the answers clear (and there isn't always a "perfect" or "correct" answer. Security is also about balancing various conflicting needs such as usability (letting good users in) and access control (keeping bad users out).)

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
0

Let me help you. You should be more concerned if you accidentally exposes the assets at the wrong-end just because when you have not understand how does the entire system works. Consider this analogy. You have a castle and it houses the king and its men (rulers of sub-kingdoms) these entities are housed in the inner most protection barrier (internal(internal)) and then there are people who are from administration , advisers a bunch of people who don't enjoy the privilege at the same levels the guys the inner most circle enjoy or the king for just simple reason don't like those bunch to be near him. So these people stay at less-trusted(internal).

In security context, its called trust level and CIA rating the assets with higher CIA rating usually employs greater security controls and placed where it is most protected. Going back to analogy consider, there is a compromise of the outermost layer of the castle, and there is a certain protocol where by these freebies moves inside the king zone let say follow routine check protocol , drills etc a comprised assets on that outer layer means free, and like authorized access to the most privilege (the king crew and him) those with high trust level.

This is how you should think too, just maps it with the business requirements and you are good to go. You should realize be it TMG or any other service you expose to the outer parameter make sure you are prepared when the fight breaks ; these guys would be hit first and sometimes hard and sometimes silently. *So a good DMZ is what isolates the attack coverage(the security leak) providing authorized channels of functionality.*As a scrutiny vigilant person you should always be looking at the threats these public facing assets faces, the landscape changes frequently. You have to be up on your toes.

Saladin
  • 1,547
  • 3
  • 14
  • 23