Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DMZ security

Status
Not open for further replies.
theresatan

theresatan

Programmer
Mar 18, 2002
101
US
Hi guys,

We have a server1 on domainA is a DMZ, and server2 on domainB is inside the firewall.

DomainA trusts domainB but domainB does not trust domainA.

Can firewall make a rule -- "server2 trusts server1 only"?

Someone told me it is not possible since it will make all computer at the same Lan
with server2 will trust server1, does that correct?

Any input appreciated.....

Theresa
 
Sort by date Sort by votes
The Firewall is there to control network trafic. so can be set to allow or disalow trafic between servers in different networks.
Trusts between servers is outwith their control all they can do is allow/disallow connections between servers. you can specify that a connection can only be established from one server only to the other and not the otherway.

using port 1433 (which would neet to be set up)
Source Destination service action
server2 - server 1 - port1433 service - allow
 
Upvote 0 Downvote
Piloria:

Thanks for your response.

Now I have more clear on the concept of firewall trafic.

But I realy want to know is:
Can firewall make a rule -- "Allow connection tracfit from server2(inside firewall) to server1(DMZ) only"?

Thank you!

Theresa
 
Upvote 0 Downvote
depending on what you are spacificly trying to achive. if you want to only allow one directional trafic but dont mind what the trafic is then a pair of rules will guarentee it

Source Destination service action
server2 - server 1 - any - allow
Server1 - server 2 - any - reject


if you spacificly know the type of trafic or the port numbers that will be used then change the "any" service on the 1st rule to a service with that port number (or create a new service with the port number, it will tell you if there is an existing service )
 
Upvote 0 Downvote
Piloria:

Thanks again for your response.

I just want to make sure my understanding is correct:

Following rule is acceptable:

Source Destination service action
server2 - server 1 - any - allow
Server1 - server 2 - any - allow
others - server 1 - any - reject(new added)
Server1 - others - any - allow (new added)

(I changed the 'reject' to 'allow' on second line and add two more.

others--All computers in the same LAN connected with server2 but excluding server2)

Open trafict connection between two servers that there is a firewall between them will affect these two servers only, it will not affect the other computers in the same LAN connect with the server which is inside the firewall.

Thank you Very much!

Theresa
 
Upvote 0 Downvote
That should be fine

The firewall shouldnt affect machines on a local lan from communicating with each other.
only when a machine is going outside the lan (or subnet mask restrictions) and then routed through the firewall will the firewall be able to affect it.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
122
gbayi_omo
gbayi_omo
abhi21
  • Locked
  • Question
Interesting article on Cyber Security
Replies
0
Views
114
abhi21
abhi21
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
157
kythri
kythri
jfp23
  • Locked
  • Question
Site to Site VPN Security
Replies
2
Views
147
PScottC
PScottC
basball
  • Locked
  • Question
Punching a whole in DMZ
Replies
1
Views
104
joepc
joepc

Part and Inventory Search

Sponsor

Back
Top