Interface domains vs. trusts

[themikehyde]

My previous network was all one domain. Not that I have installed a PIX515E, and moved the web servers into the dmz, I have a couple of issues.

Is it recommended to have the web servers be on their own domain, or standalone units for authentication?

Should a trust be set up between the dmz and the inside network or is this a security issue?

My web servers accessed databases on other hosts, via mapped drive/ODBC, but now can't. Any recommendations?

Thanks,
Mike

 

[baddos]

It's generally recommend not to let your DMZ into your INSIDE, but based upon practicallity, you might need to open up an access-list to let the ports through you need.

I have a separate domain for my DMZ to ease management. If you really want to go hardcore, every server would be standalone w/o a domain.

-Bad Dos

 

[themikehyde]

Bad Dos,
Thanks, I was figuring to set up each server in the dmz as standalone for authentication. How would I allow a server to access an access database on the inside?

Our Intranet used domain authentication for allowing access, then all database queries were based off their network username. How would I allow this without going back to them having to have separate usernames and passwords stored in a database on the webserver?

Thanks,
Mike

 

[baddos]

You can make what's called a "local" user in your internal domain that uses the same username and password as the one used on the DMZ computer. Provided you have an access-list or conduit to allow db access from the DMZ to the INSIDE, it will work fine.

-Bad Dos

 

[yizhar]

HI.

> Thanks, I was figuring to set up each server in the dmz as standalone for authentication. How would I allow a server to access an access database on the inside?

If applicable, use a script/batch to copy the database file from the internal server to the web server periodicaly.
This is safer then allowing the web server access to the real db.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[themikehyde]

yizhar,
Thanks. I have just copied this database up to the web server. It's not that sensitive of data.
Mike

 

[yizhar]

HI.

It's not the sensitivity of the data issue (you publish it anyway), but this is a better way to protect your whole internal network from the bad guys out there.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[themikehyde]

Thanks. Now if I can get the mapping issue from the inside to the dmz, then everyone will be happy.
Thanks,
Mike

 

[yizhar]

HI.

You can use FTP instead to access the DMZ server.

You can add a static WINS/DNS entry to let internal users resolve the name of the DMZ server.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[themikehyde]

yizhar,
I guess I just don't understand why 2K clients have no trouble, but 9x clients keep timing out. Cisco has had me map from 2K & 9x clients inthe dmz to see if the problem exists, it does not. Something is kicking the 9x clients off after approximately 15-16 minutes.

FTP would not be a real option since they need to access an Access database.

Would the WINS/DNS entry possibly resolve this?
Thanks
Mike

 

[yizhar]

HI.

> Would the WINS/DNS entry possibly resolve this?
I guess not.

Try asking in a W2K related forum.
There might be a change in the W2K server to disable the automatic disconnection.

Look at the syslog messages of the pix.
Do you see any connection attempt related to the server ip address blocked at the pix?

Can you post your pix configuration, or at least the part that relates to the inside and dmz (nat/global/static/access-list)?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[themikehyde]

Yizhar,
Add a wins/dns entry into the lmhosts file or on the pix?
Mike

 

[yizhar]

Add the entry on WINS/DNS server(s), or if you don't have one, then in LMHOSTS/HOSTS file on the workstation.
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar