[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewall-wizards
Subject:    Re: [fw-wiz] safety of unidirectional NT trusts
From:       "S. Jonah Pressman" <jpressman () sympatico ! ca>
Date:       2002-01-17 2:26:05
[Download RAW message or body]

Phooey!  You're in a tough spot.  If you follow the wishes of the decision
makers, you'd might as well take the "D" out of "DMZ".

What about an alternative solution?  Will your sponsoring decision makers pay
for the hard and soft dollars for a good non-Microsoft VPN implementation (eg.
Shiva, Timestep, etc.)

SJP

hermit921 wrote:

> I have been tasked with permitting M$ networking access between an NT
> server on the DMZ an other Windows machines behind the firewall.  My plan
> is to not let the DMZ machine initiate any connections to the internal
> machines, but they can initiate connections to the DMZ machine.  The DMZ
> machine should be set up to trust the internal machine, but the internal
> machine should not trust the DMZ machine; I know I can't control this on
> the firewall.  I don't know much about M$ networking, I don't get to make
> decisions, I just implement firewall rules whether I like them or not.
>
> My main question is:  is this unidirectional connection initiation and
> trust help much more secure than bidirectional?  Given that I have to allow
> this network traffic, can I do any better on the firewall rules?
>
> hermit921
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@nfr.com
> http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@nfr.com
http://list.nfr.com/mailman/listinfo/firewall-wizards
[prev in list] [next in list] [prev in thread] [next in thread]