DMZ Server Configuration and Security Best Practices

Classified in Computers

Written at on English with a size of 2.6 KB.

Four Servers Reside in the DMZ

  • Mail
  • WWW
  • DNS
  • Log Servers

DMZ Mail Server (a Separate Machine)

When an Email Message is Received from the Internet:

  1. Reassembles the message.
  2. Checks for malicious content.
  3. Changes the addresses of the outer firewall (which is how the mail server is known to the outside world) to that of the internal mail server and forwards the mail to the internal mail server.

To Send a Message from the Internal Network to the Internet:

  1. Reassembles the message.
  2. Checks for malicious content (and maybe for proprietary information).
  3. All internal addresses are replaced with "drib.org" (the name of the outside firewall).

DMZ WWW Server (a Separate Machine)

  • Does not contact any servers or information sources on the internal network and it contains no confidential data.
  • Is accessed from the Internet using the address of the outer firewall.
  • Developers release updates to the website to an internal machine named WWW-Clone. Developers are not allowed access to the DMZ WWW server. A system administrator uses SSH to transfer from WWW-Clone to the DMZ WWW server.
  • The DMZ WWW server invokes a simple program to validate customer data and encrypt it. Encrypted with the public key of the CSG (Customer Service Group). The system administrator connects to the WWW server using SSH to copy the encrypted file to the internal CSG network.

DMZ DNS Server

Contains Entries for the Following:

  • DMZ mail, Web, and log hosts
  • Internal trusted administrative host (how the administrator connects using SSH)
  • Outer firewall
  • Inner firewall

The limited information in the DNS server reflects the principle of least privilege. It only contains entries needed so that systems in the DMZ can talk to each other.

DMZ Log Server

  • All DMZ machines have logging turned on. On a separate machine to reduce the chance that an attacker can delete log files.
  • The log machine writes logs to a file and to a write-once media.
  • The system administrator can use SSH to copy logs from the DMZ log server to the internal network or can go to the log server and retrieve the write-once media.

In summary, each of the four servers has the minimum amount of knowledge of the network that is needed to perform its function.

The OS on DMZ servers has a reduced kernel. (Economy of Mechanism)

Karma: 8%
Visits: 0

Entradas relacionadas:

Tags:
Network Security WWW Server DMZ DNS Server Mail Server