[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SAGE] Questions about a DMZ config

To: sage-members@usenix.org
Subject: [SAGE] Questions about a DMZ config
From: Neil Watson <sage@watson-wilson.ca>
Date: Thu, 11 Jan 2007 09:06:27 -0500
Sender: owner-sage-members@usenix.org
User-Agent: Mutt/1.5.13 (2006-08-11)

I've come across a DMZ design that I've not seen before.  It seems
somewhat flawed to me.  I'd like to hear the opinions of other Sage
members.

Internet
   |
  FW
   |
192.168.32.0/24
(web servers, external DNS, mail gateways)
   |
  FW
   |
192.168.42.0/24
(middle-ware)
   |
  FW
   |
Internal Network.

All externally visible servers are NATed behind the external firewall.
The DNS servers give out public IP addresses which are controlled by the
firewall.  There is no DNS resolution for the locale private IP
addresses. This causes some interesting problems.   The firewall does
not allow the servers to talk to each other using their public IP
addresses.  This can create email problems.  For example, should a
server wish to send email it cannot do so via MX record lookup.  Instead
the server's MTA must be manually set to forward (e.g. SMART_HOST).
Services that prefer to have DNS (e.g. OpenView, backup software) now
only work if each host keeps a hosts file.  

Is this type of arrangement typical?  Is another DNS service required to
fix this problem or there a more serious flaw?

-- 
Neil Watson             | Debian Linux
System Administrator
http://watson-wilson.ca

Follow-Ups:
- Re: [SAGE] Questions about a DMZ config
  - From: Cat Okita <cat@reptiles.org>

Prev by Date: Re: [SAGE] Naming conventions for servers, network gear, etc.
Next by Date: Re: [SAGE] Questions about a DMZ config
Prev by thread: Palm backups Re: [SAGE] Syncing PDA and Linux
Next by thread: Re: [SAGE] Questions about a DMZ config
Index(es):
- Date
- Thread