Put OSX Server in DMZ or not?

Question

Level 1

0 points

Put OSX Server in DMZ or not?

My network has a dedicated box running the community edition of Endian Firewall that creates three seperate physical networks, WAN/Internet, Internal and a dedicated DMZ network that has a couple of Linux servers.

I plan on using OSX server to provide services to the internal network and to host email, a public website and Wiki. Calendaring & address book services, etc. I may provide externally via a VPN instead of exposing those services to the outside world.

I haven't found any discussion of the trade-offs of either configuration in the Apple Documentation.

Is it better to put the OSX server in the DMZ or on the internal network with port forwarding?

Mini Server, Mac OS X (10.6.5)

Posted on Nov 21, 2010 7:47 AM

Reply

Answer 1

MrHoffman

Level 10

146,443 points

Nov 21, 2010 8:05 AM in response to JTruesdale

Your server is exposed to the Internet, which means that a breach can provide a beachhead for the attacker, and can allow further intrusions and additional breaches in the absence of a DMZ.

Folks with very small networks and low-value networks often don't bother with a DMZ.

Folks with more network-connected devices and more hosts and particularly with more valuable data or with larger-bandwidth connections (the connection itself is valuable to an attacker) will generally use the DMZ and internal firewalls; layered defenses. Network monitors and distributed logging also tend to appear in this range.

Printers and network storage controllers, for instance, can be good targets for secondary attacks. As can less-protected internal services. And for uses such as relay spam via the less-protected internal access path into a mail server, for instance.

And for completeness, firewalls are not a panacea. There are various techniques for breaching them.

Reply