07-01-2014 09:48 AM
We are running a PA-500. Given it's abilities I am wondering if a DMZ is absolutely necessary. Note: I realize this is a wide open question, what servers are we using, what operating system, etc. I am curious in more of a "general" sense.
There are obvious situations where a DMZ is a no brainer, hosting a site with SQL, money transactions, etc.
In our case we are an SMB and I am interested in publishing a couple of different servers to the outside world. Neither of them are based on IIS but are accessed via HTTP/HTTPS. Given the abilities of the PA and the fact they are not AD bound it seems I could probably publish them without using a DMZ at the application level.
Same question with Exchange OWA/Activsync. Given the PA has the protocol definitions and is not just using ports, it seems like overkill to put the OWA/Activesync in a DMZ?
Any thoughts?
Thanks,
Bob
07-01-2014 09:51 AM
In my humble opinion a DMZ is still necessary because pivoting is still a tactic employed by the bad guys and pen testers. If you expose something to the Internet, assume it has vulnerabilities which would allow an attacker to get a shell on the box on the DMZ and pivot into your internal network. If you had that box 'sandboxed off' into its own zone with appropriate rules and profiles bound to it then you'd prevent pivoting.
07-01-2014 10:21 AM
Hi Bob,
Its good to have more security than less. I would suggest to have server in DMZ.
Prevention is better than cure.
Regards,
Hardik Shah
07-01-2014 06:01 PM
Hi Bob,
The nice thing about DMZ's is that you have the ability to control where the DMZ based server(s) can connect to internally and limit their connectivity to just those resources that they require to function correctly. This limits your exposure should the dmz server is compromised.
Phil
07-02-2014 04:27 AM
DMZs are very necessary and in fact we are adding all kinds of internal "DMZ" secure zones throughout the data center and organization to protect critical applications and data repositories.
We can no longer assume that all the attacks are outside to in. But that any inside computer could eventually be in the hands of a bad actor. So you need to consider what could a bad actor do from this point in the network? Where can they go? What can they see?
Then if the compromised computer is inside a secured zone, DMZ or otherwise, how do we keep them there and not spread.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
