Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
Re: [suse-security] extending my dmz
On Wednesday 11 July 2001 11:54, you wrote:
> I work for a college with 3 sites, with wan links in between each, with
> 2 seperate networks per site, which means 6 networks over my wan.
>
> Im hoping to set up a DMZ over the summer, and putting my web server,
> dns and mail server in there. Thing is, i have another server on
> another site that i'd also like inside my DMZ. what i'd like to do is
> set up some sort of tunnel (i dont know if you can do this) from the
> external site to my DMZ. Sort of like this:

Well, regardless whether this is feasible technically, this would go
*directly* against what a DMZ tries to accomplish in the first place.

A DMZ is meant to isolate a bunch of servers so that, in the case one does
get compromised, the problem stays "contained" (i.e. the LAN itself still
remains secure). By setting up a VPN tunnel from the DMZ to one of your
LANs, you break that . So, maybe you'd like to reconsider...?

Else, if you are not able to reconsider, sorry I bothered you. ;-)

Maarten

> box needs being in DMZ ---> tunnel box ---> WAN links ----> Box inside
> DMZ
>
> Then, any requests for the "box needs being in DMZ" can be directed to
> the "box inside DMZ", which then sends any data down over the tunnel
> directly to the "box needs being in DMZ".
>
> heres another diagram in case imnot being very clear:
>
> router
> ----------------------
> wan router DMZ
>
> | box inside DMZ
>
> ------------------
> extsite1 extsite2 ext site3
> ---- ---- ----
>
> Tunnel box
>
> box needs being in DMZ

--
Instead, only try to realize the truth. There ís no blue pill.

Maarten J H van den Berg
van Boetzelaer van Bemmel, informatie- en netwerktechnologie
http://vbvb.nl T 020-4233288 F 020-4233286 G 06-51994273

< Previous Next >
References