I am involved in project where I have to install a new server for a new application to a preexisting production network. The new server shall sit in the DMZ and two controllers will sit on the production network. The network has one firewall with an extra module for the DMZ. The server application requires many ports to be open to communicate with the outside. But I have been told that I should also open up the ports between the dmz and the production net so that the server can communicate with the 2 controllers(bidirectional communication) So my question is this. What is the point in having the DMZ if the same ports are open on the firewall. I could understand if there were more open on the dmz to internet side than the dmz to network side, but if they are both the same I cant see what the protection is. Can any tell me if I am wright or wrong about this?
Asked
Active
Viewed 408 times
1 Answers
2
The DMZ should generally be the only network publicly accessible; versus the private network ("Production net"?), where no ports should be 'directly' publicly accessible. Connections between the two segments are largely dependent upon your application's requirements.
The key is that the private segment is not directly accessibly, so one (or more) devices would need to be compromised to get to them.
If the private network (non-dmz) needs to connect to a DMZ server, that is assumed to be more trustworthy than an Internet host connecting (you're more trusted server is connecting, versus anyone in the world).
CrackerJack9
- 136
- 3