Nice video. How would you handle traffic when the 10 subnet needs to access the website? Would they have to go out to the web and back into the website from the outside? I saw your other comme t about middle men DMZs
You're right in the best world the DMZ wouldn't have access to the LAN. However in reality that server in the DMZ require access to ressouces on the LAN, (database, authentification server,....) So frequently you have to open ports to lan. But at least it doesn't allow access to whole ressource on the LAN .
That is where the middle men DMZs come in. Where you place read only LDAP servers that have their configs pushed to them from the inside. A lot of ways to skin the cat. There are means of providing the access though. I usually use a public facing DMZ for the web presence, a DB and Auth DMZ for those resources and only the db or auth could potentially reach in (though usually it's the other way around and internal goes in to those via read only AD etc). At the end of our day though we are just trying to make the work load necessary to exploit a resource more than the value of the resource to the malicious actor.
Great video! Do have a question. At the end of the video you said put web server and db on two separate DMZs. Saying if the web server is compromised and the hacker is able to get the connection string the web server uses to talk to db, does separate DMZs help to make bad guy's life harder in that case?
More steps and hoops to jump through. If they want it bad enough they will eventually make it through. The time investment you have to increase to make them move on.
Nice job and simple explanation, can’t wait to see the configuration video
Nice video! It would be cool to see a follow-up on securing traffic within VLANs/subnets as well. PVLAN or Access-VLAN as Fortinet calls it.
Nice video. How would you handle traffic when the 10 subnet needs to access the website? Would they have to go out to the web and back into the website from the outside? I saw your other comme t about middle men DMZs
Makes sense very good.
I see that Auburn Shirt! Great videos btw - thank you for all of the information #RollTide ;)
You're right in the best world the DMZ wouldn't have access to the LAN. However in reality that server in the DMZ require access to ressouces on the LAN, (database, authentification server,....) So frequently you have to open ports to lan. But at least it doesn't allow access to whole ressource on the LAN .
That is where the middle men DMZs come in. Where you place read only LDAP servers that have their configs pushed to them from the inside. A lot of ways to skin the cat. There are means of providing the access though. I usually use a public facing DMZ for the web presence, a DB and Auth DMZ for those resources and only the db or auth could potentially reach in (though usually it's the other way around and internal goes in to those via read only AD etc).
At the end of our day though we are just trying to make the work load necessary to exploit a resource more than the value of the resource to the malicious actor.
That is Architypetecture !:)
Great video! Do have a question. At the end of the video you said put web server and db on two separate DMZs. Saying if the web server is compromised and the hacker is able to get the connection string the web server uses to talk to db, does separate DMZs help to make bad guy's life harder in that case?
More steps and hoops to jump through. If they want it bad enough they will eventually make it through. The time investment you have to increase to make them move on.
Thank you,
How do you achieve this with Hyper-Converged Infrastructure?
You are going to either run NSX / VMX configuration or trunk vlans up to the firewall.
@@FortinetGuru If I'm not using a VMware based Hypervisor?