DMZ to Green interface UDP port mapping

[TSMJ]

Hi
Was just interested in what people thought about mapping an UDP port from my DMZ (which is protected by the firewall) to a server on the green interface, so that the web server in the DMZ can get anti-virus updates. The uninstall program for the Anti-virus running on the web server won't let me uninstall it and set it up again as a stand-alone (the server was recently moved from the green network to the DMZ). There are only 4 TCP ports mapped from the internet into the DMZ - no UDP at all.

Shall I a) delete the anti-virus folders and hope running the exe again will work and install properly or b) stop worrying because no-one would be able to touch the server on the green through the UDP port I am thinking about mapping.

Thanks a lot for your time

 

[rn4it]

The first question I would ask is who connects into your DMZ? What ports are accessable from the outside world? Each environment is different, however if you use a non standard port from your webserver to your antivirus server, to get updates. I don't see the harm, I think the risk is greater if your web server gets infected. However, if you're wide open from the

http://WWW to

your webserver, I'd consider tightening that down first.

 

[TSMJ]

Thanks for replying rn4it
The DMZ is accessible from the internet by ports 80, 81, 21, 110 and 25 and the green interface has complete access to the DMZ (however nothing in the DMZ can see anything on the green - at the moment anyway). There is a firewall routing all these networks together. There are no ports mapped into the green. I think the antivirus port is a non-standard UDP port, certainly not one which is mapped from the internet to the DMZ.

Thanks again.

 

[rn4it]

I would think it should be OK, then. As long as your anti virus server is just that and not (ie PDC, essential file or print server...)
goodluck