PIX ASA : Need to setup a server in a DMZ such that

Need to setup a web server in a DMZ such that

1) computers on the INSIDE interface can , on a microsoft LAN, browse to and copy files FROM the server in the DMZ to themselves in the inside 2) If the server in the DMZ is hacked it will prevent attack on the inside computers.

I need to:

1) know this is possible 2) be pointed to instructions on how to set this up 3) understand HOW this is done 4) understand if the Inside and DMZ are on differnt subnets if the ASA is doing routing as well as passing Netbios packets.As I understand the world if you allow netbios from and to subnets you are making security holes that undermine the value of the DMZ
Reply to
barret bonden
Loading thread data ...

Am 26.03.2010 20:11 schrieb barret bonden:

You got that right. Opening up Microsoft LAN protocols between the DMZ and your internal network makes it pretty much impossible to secure the internal network against attacks from the DMZ server, should it be subverted.

(Btw, I don't agree with your distinction between "routing" and "passing Netbios packets". The latter is a particular case of the former.)

What I'd recommend is not to use Netbios for that purpose. If that DMZ server is a web server already, why not have the inside computers browse to and copy these files via HTTP, too? For that you only have to open port 80 from inside to DMZ, which you probably did already anyway.

HTH Tilman

Reply to
Tilman Schmidt

I find that on W2k3 and above servers, that one only needs to open up port 445 one-way from the PCs doing the system admin work to the servers in question. It goes through fine using \\ip.address.of.server in the run dialog. Don't allow traffic on this port from the servers to the inside network.

Thanks. Andrew.

Reply to
Andrew Hodgson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.