The following is the ITKnowledge Exchange Tip of the Week for March 28, 2005.
"Stephang" writes: I am designing a new network with a demilitarized zone (DMZ) containing Linux Web servers and a Windows BackOffice behind a firewall. I'd like to use Linux to run our company intranet on the DMZ side. However, I want to limit employee access from the Internet and from behind the firewall using Windows Server 2003 logon authentication. Can I do this, and if so, how do I configure the firewall? Are there any resources out there that someone can point me to?
For external access by employees, I assume you are planning VPNs. They can be accommodated by a variety of platforms using Radius authentication from your Windows domain controllers. Some of your description is confusing. Normally the term intranet is used to describe the company network behind the internal firewall, not the DMZ.
I agree with using Unix and Linux systems on the DMZ. Historically, this has been safer, although the facts may be changing now. Regardless of the OS, all bastion hosts and firewalls need to be hardened. Systems like the Cisco PIX come that way, which is part of the reason many people have trouble configuring them. There are several books on Linux hardening. If you need a reference on hardening Windows, check the NSA site.
As a previous response mentioned, always harden your systems, mainly those interfacing with the Internet. For resources on hardening take a look on Amazon and search for the Hardening series of books including Hardening Windows and Hardening Network Infrastructure. Also check out Practical Unix & Internet Security.
Start your own discussion
Do you have a Windows security dilemma that needs quick attention? Talk about it in ITKE.
About the ITKnowledge Exchange
ITKnowledge Exchange is a place where IT pros can share ideas, expertise and get answers to their technical and strategic questions. It provides direct access between groups or individuals who are grappling with similar IT issues in a safe and seamless environment. Click to start participating today or go to the Tip of the Week archives.