What things to consider when creating a DMZ for a website?

[1Drisnil]

Anyone out there build a DMZ from scratch using Windows 2003 products? What type of devices did you use for the Networking devices?

What problems did you run into in the process?

I have been charged with developing a plan to create a DMZ with web, database, and mail services. The data pipe is slated to be T1 (1.544Mbps).

Any thoughts?


Social engineering, coupled with greed, is the easiest way to subvert any security!

 

[themosquito]

If you are going to use all Microsoft Products to create your DMZ, particularly ISA 2000 you need to keep one obscure thing in mind.

ISA 2000 does not support internal Domain Members in it's DMZ

INFO: ISA Server Does Not Support Domain Members In Perimeter Network

http://support.microsoft.com/default.aspx?scid=kb;en-us;329807

That means if you are planning on having your webserver be a member of your internal domain so you can authenticate users against Active Directory it won't work.

This also applies to Front End Exchange Servers, don't put them in an ISA2000 DMZ as it is not supported by Microsoft.

Not sure if ISA 2004 changes this or not.

Just trying to save you a headache.

Best of luck!