LehmannMarble871
出典: くみこみックス
Web and FTP Servers
Each network that has an internet connection is at threat of becoming compromised. While there are many methods that you can take to secure your LAN, the only actual resolution is to close your LAN to incoming visitors, and restrict outgoing targeted traffic.
Even so some services such as web or FTP servers require incoming connections. If you call for these solutions you will need to think about whether it is important that these servers are part of the LAN, or whether they can be placed in a physically separate network known as a DMZ (or demilitarised zone if you choose its correct name). Ideally all servers in the DMZ will be stand alone servers, with distinctive logons and passwords for every server. If you call for a backup server for machines within the DMZ then you really should acquire a committed machine and hold the backup answer separate from the LAN backup answer.
The DMZ will come straight off the firewall, which indicates that there are two routes in and out of the DMZ, targeted traffic to and from the net, and traffic to and from the LAN. Targeted traffic among the DMZ and your LAN would be treated completely separately to targeted traffic amongst your DMZ and the Web. Incoming traffic from the world wide web would be routed directly to your DMZ.
As a result if any hacker where to compromise a machine inside the DMZ, then the only network they would have access to would be the DMZ. The hacker would have little or no access to the LAN. It would also be the situation that any virus infection or other security compromise within the LAN would not be in a position to migrate to the DMZ.
In order for the DMZ to be successful, you will have to maintain the visitors among the LAN and the DMZ to a minimum. In the majority of circumstances, the only site visitors needed amongst the LAN and the DMZ is FTP. If you do not have physical access to the servers, you will also need to have some sort of remote management protocol such as terminal solutions or VNC.
Database servers
If your net servers call for access to a database server, then you will need to think about where to location your database. The most secure spot to locate a database server is to produce but an additional physically separate network called the secure zone, and to spot the database server there.
The Secure zone is also a physically separate network connected straight to the firewall. The Secure zone is by definition the most secure spot on the network. The only access to or from the secure zone would be the database connection from the DMZ (and LAN if necessary).
Exceptions to the rule
The dilemma faced by network engineers is exactly where to put the e mail server. It requires SMTP connection to the net, however it also demands domain access from the LAN. If you exactly where to location this server in the DMZ, the domain visitors would compromise the integrity of the DMZ, generating it simply an extension of the LAN. For that reason in our opinion, the only spot you can place an e mail server is on the LAN and let SMTP visitors into this server. Nonetheless we would advocate against allowing any type of HTTP access into this server. If your users need access to their mail from outside the network, it would be far far more secure to appear at some type of VPN answer. (with the firewall handling the VPN connections. LAN based VPN servers permit the VPN traffic onto the network just before it is authenticated, which is never ever a good point.) free smtp server service inside free smtp mail server check this out
