My problem is that there are services on my internal LAN, such as Kerberos, NTP, DNS queries & xfers, etc, that I need my servers on my DMZs to access. I am thinking of building 2 DMZs; one for my web servers and the other for my DB servers. After doing a little DMZ design research I found two threads that make me wonder:
1) Never let a server on a public accessible DMZ segment initiate a connection to a server on a higher security segment (i.e. server in the LAN).2) To allow administrative access to servers in the DMZ, create an out- of-band management subnet by installing another NIC on each of the DMZ servers. This dedicated NIC would allow administrative access, Kerberos, NTP, etc. None of these servers would allow packet forwarding.
With #1 being stated, how do you allow DMZ'ed hosts to access these internal services that are cannot be easily replicated? Replicating all of these services for each DMZ as well as the LAN sounds like an administrative nightmare.
#2 made me wonder whether security is really gained. Couldn't all of this service and administrative access take place over the main communications channel (i.e. in-band) with less hardware and configuration? It seems like the only thing gained would be access to the servers via the out-of-band channel in the event of a DoS on the in-band channel.
What are some of your DMZ design guidelines and best practices?
Would it be so bad to just poke a few holes through the firewall from the DMZ to the LAN and then really lock down those internal servers, not allowing them to initiate connections outside of their local segment?