Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 6202 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DMZ change has been requested, how secure is it?

David Orwig

In our environment the use of the DMZ on our UTM is relatively new to our setup. We use UTMs at all of our remote sites that are connected to the internet via VSAT. SG210s and SG135s for the most part. In the DMZ is a PC based webserver that reports data back to a cloud service. Everything is working fine. Remote managers can connect to the PC via teamviewer and all data from the PC is being deposited to the cloud service.

Here is the problem / situation: There have been requests in the upper chain of command that users inside the LAN at each remote site be able to directly access the PC based website in the DMZ, so they are asking that I open port 80 from my internal LAN to the DMZ (and obviously the reverse as well). I know how to make the changes........

Here's the actual question: How secure would that setup be? Does traffic from the LAN to DMZ (and vice versa) get the same level of packet inspection as WAN traffic? What risks would I be exposed to?

 

Thanks for your time,

Dave

 



This thread was automatically locked due to age.
Parents
  • 0

    Hey David.

    Do you have WAF subscription? If you are worried about security, you could use WAF to allow your LAN clients to connect to the DMZ server web service. That way no ports would need to be opened between your LAN and DMZ. 

    Now, if you don't have WAF, opening port 80 from your LAN to DMZ would NOT require you to open any ports from the DMZ to your LAN. Sophos UTM is a stateful firewall, so it would be smart enough to track the connection from your LAN to the DMZ and allow packets to return.

    About IPS, AFAIK, any packet traversing the UTM into a protected network is inspected. Unless you have some exception in place it should be checked as anything coming from WAN.

    I, for one, would go with WAF if available. If not, I don't see any major security implications. To me, that's no different then allowing your clients to access a web server over WAN.

    EDIT: check Rulz to understand how packets run though the UTM. 

    Regards,

    Giovani

  • 0 in reply to giomoda

    giomoda said:

    SNIP.....

    I, for one, would go with WAF if available. If not, I don't see any major security implications. To me, that's no different then allowing your clients to access a web server over WAN.

    EDIT: check Rulz to understand how packets run though the UTM. 

    Regards,

    Giovani

     

     

    Very similar to what my CIO said (as far as being like any other web server). It's just a little disturbing to have a web server which I have no control over (as far as patching and virus protection, etc) connected directly to my own equipment. We currently do not have a WAF subscription.

    Dave

Reply
  • 0 in reply to giomoda

    giomoda said:

    SNIP.....

    I, for one, would go with WAF if available. If not, I don't see any major security implications. To me, that's no different then allowing your clients to access a web server over WAN.

    EDIT: check Rulz to understand how packets run though the UTM. 

    Regards,

    Giovani

     

     

    Very similar to what my CIO said (as far as being like any other web server). It's just a little disturbing to have a web server which I have no control over (as far as patching and virus protection, etc) connected directly to my own equipment. We currently do not have a WAF subscription.

    Dave

Children
No Data
Unfiltered HTML