G
Guest
Guest
Archived from groups: microsoft.public.win2000.security (More info?)
Cross posted from ms.public.security:
I am interested to hear anyone's comment on the following:
Organisation has internal LAN and an Extranet with Web and mail
servers located in a DMZ. The firewall is a Cisco device.
At present both the DMZ and the LAN are separate domains, which means
that staff often have to be registered to both domains. This linked
with password complexitiy/expiry policy creates much confusion.
So we are considering opening a hole in the firewall between the dmz
and the inside to allow us to set up a one way trust relationship
between the two domains, with the DMZ domain trusting the LAN domain
In this way staff will only be registered on the inside whilst trusted
3rd parties would only be registered on the DMZ.
Now I know in theory that his ought to be secure (there is no outside
access), but supposing that the dmz got compromised in some unforseen
way, what is the potential for this to provide a staging post to
compromising the inside. Is this risk more or less than having the two
completely isolated domains?
I know there are no definitive answers to this question but I would
warmly welcome hearing the views of anyone prepared to share them.
Many thanks,
Cross posted from ms.public.security:
I am interested to hear anyone's comment on the following:
Organisation has internal LAN and an Extranet with Web and mail
servers located in a DMZ. The firewall is a Cisco device.
At present both the DMZ and the LAN are separate domains, which means
that staff often have to be registered to both domains. This linked
with password complexitiy/expiry policy creates much confusion.
So we are considering opening a hole in the firewall between the dmz
and the inside to allow us to set up a one way trust relationship
between the two domains, with the DMZ domain trusting the LAN domain
In this way staff will only be registered on the inside whilst trusted
3rd parties would only be registered on the DMZ.
Now I know in theory that his ought to be secure (there is no outside
access), but supposing that the dmz got compromised in some unforseen
way, what is the potential for this to provide a staging post to
compromising the inside. Is this risk more or less than having the two
completely isolated domains?
I know there are no definitive answers to this question but I would
warmly welcome hearing the views of anyone prepared to share them.
Many thanks,