Internal access to company website in dmz blocked as best practice
https://stackoverflow.com/questions/9167987
-
26-04-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
My client's network security person is setting up their new website in a DMZ for security. This makes total sense to me. However, she proceeded to say that it's a best practice that the company employees not be able to access the site internally. For example, to check if the site was up, she suggested they use their phone.
Is this a new thing? Does it even make sense? I've never heard of not allowing company employees to access the company website over their internal network before. I'm not a security person, I'm a developer, so if this is right on the money please let me know, it just seemed unusual to me.
Is this a best practice that companies are implementing now? Is it the advised way to go?
Any information is greatly appreciated. I'm just confused and a little stunned.
Thanks!
Solution
They should be blocking the windows domain, directory services and unused ports from the inside network but should allow the necessary web ports for management. The purpose of the dmz is to protect your internal network from the public server, not the other way around. You shouldn't have to the network security guy that the risk is too low to justify the extra costs associated with monitoring the server from the outside. If your security guy has any experience in network security he'll know that this is standard practice. If not, take it to management and tell them that you need them to pay for another internet connection to monitor your servers or ask the security guy to make 1 access list change in his firewall.
OTHER TIPS
A machine in DMZ should not be able to 'connect in' to any machine in your internal network. Machines from your internal network can always connect to the machines in DMZ. Generally employees have access to the websites (and other services) running in the DMZ, so there is no reason why you should be restricting employees to connect to your own DMZ machine.
So to answer your question:
Is this a best practice that companies are implementing now?
No
Is it the advised way to go?
This doesn't make you any more secure that you are.
If the rationale behind this restriction is to prevent possible infection of internal machines from a malware being distributed by your own website, then how is it more secure than getting infected by a malware distributed by a random website.
