Re: How to securely connect an Intranet-Samba-PDC with a LAMP in the DMZ?!

From: Robert Harris <robert.f.harris@xxxxxxxxxxxxxxxx>
Date: Tue, 16 Oct 2007 14:57:02 GMT

Tom wrote:

Hello group!

I am administering a small network which has 3 zones: Internet, DMZ and
Intranet, quite similar to what it looks like here:
http://de.wikipedia.org/wiki/Bild:Endian_Network_Topology.jpg
With other words: I have the RED (=insecure), ORANGE (partly secure) and
GREEN (highly secure) zone, all combined by a Firewall/Gateway linux box.

In the ORANGE zone (DMZ) I am running a LAMP server which serves data
towards the public internet (Webserver and FTP server)
In the GREEN zone (intranet) I am running a Samba-Server as fileserver
and PDC for my intranet client machines.
By default my firewall allows access from the green to the orange net,
but not vice verca. However I can open "pinholes" so that partial access
is allowed from orange to green (but each pinhole is also a decrease of
security)

So far so good.

Now what I want to do:

I want to be sitting on one of my Windows clients in the green network
and be able to transfer files from the orange LAMP server to the green
File-Server and vice verca comfortably via network shares.

For the moment I am using FTP to transfer the files between them,
sitting infront of the linux boxes, which is not very comfortable.

How should I make that in the best way, so it remains top secure?

You need to organise your file transfers so that they are always
initiated from the GREEN zone. So you want the simplest possible server
running on your LAMP server that allows part of its filesystem to appear
on your GREEN server.

Why not just run an NFS server on your LAMP server with restrictions in
your /etc/exports file that only allow your GREEN server to see the part
of the filesystem that you export?

Robert

- Do I have to install a Samba-Server on orange? (which I find insecure)
- Do I have to grant the orange server access to green server by giving
him a pinhole on the firewall? (which I again find insecure)
- Do I have to connect them via NIS?
- Can I somehow mount a folder between green and orange?
- Do I need to install an FTP-server on both and then use FXP (which
again I don't like because I don't want to install an FTP on green for
securtity reasons)

What would you do in my case?
Any advices are welcome!! :-)

Thank you
tomakos

Follow-Ups:
- Re: How to securely connect an Intranet-Samba-PDC with a LAMP in the DMZ?!
  - From: Tom

References:
- How to securely connect an Intranet-Samba-PDC with a LAMP in the DMZ?!
  - From: Tom

Prev by Date: IP routing with remote DNS, but server & client on same subnet - how?
Next by Date: Re: IP routing with remote DNS, but server & client on same subnet - how?
Previous by thread: How to securely connect an Intranet-Samba-PDC with a LAMP in the DMZ?!
Next by thread: Re: How to securely connect an Intranet-Samba-PDC with a LAMP in the DMZ?!
Index(es):
- Date
- Thread

Relevant Pages

[fw-wiz] Re: General question, was: question on securing out-of-band management
... things for our "management network" ... Each with a different login, each with a different passwd, each with a different way of resetting expired/locked passwds and such. ... Most often, and here's the catch, we have a zone for our console access in say czone, all admined on avocents, course, the avocents have their own quirks, like there is limited cut and paste, and if an app is poorly setup and scrolls it;s log info to the console it can make it so the console is totally unavailable. ... so depending, I might fnd it easier to maintain a system from one of these limited console devices, rather then getting the direct access tot he server in question due to esap/vpn madness issues. ...
(Firewall-Wizards)
Re: a records and pointers
... can you create and zone for a different domain on a different network ... server for private use so long as it never gets accessed publicly. ... >for the other email server that is on the other network. ... real domains or just test domains - even if test domains do they still ...
(microsoft.public.windows.server.dns)
How to securely connect an Intranet-Samba-PDC with a LAMP in the DMZ?!
... I have the RED, ORANGE and GREEN zone, all combined by a Firewall/Gateway linux box. ... In the ORANGE zone I am running a LAMP server which serves data towards the public internet ... In the GREEN zone (intranet) I am running a Samba-Server as fileserver and PDC for my intranet client machines. ... I want to be sitting on one of my Windows clients in the green network and be able to transfer files from the orange LAMP server to the green File-Server and vice verca comfortably via network shares. ...
(comp.os.linux.networking)
RE: Server 2003 Network problems since IP address change
... Rightclick "My Computer", properties, Computer name or network identification, ... Is there any firewall running on client or server? ... Is the Primary DNS ... of zone WSW.local. ...
(microsoft.public.windows.server.networking)
I need flowchart for how Internet Explorer determines security zon
... the security domain to find out if the action is allowed. ... zone until all of the IE patches have been distributed. ... adding the site to the intranet site's list would still have this fixed. ... When the server I was pulling the assembly from was in the intranet zone, ...
(microsoft.public.internet.explorer.ieak)