Page 451 - StudyBook.pdf
P. 451
Topologies and IDS • Chapter 7 435
public. If an Internet system attempts to connect to a service not made public, the
firewall drops the traffic and logs the information about the attempt (if configured
to do so). Systems on a protected network are allowed to access the Internet as
they require, and they may also access the DMZ systems for managing the com-
puters, gathering data, or updating content. In this way, systems are exposed only to
attacks against the services that they offer, and not to underlying processes that may
be running on them.
The systems in the DMZ can host any or all of the following services:
■ Internet Web Site Access IIS or Apache servers that provide Web sites
for public and private usage. Examples would be www.microsoft.com or
www.netserverworld.com. Both of these Web sites have both publicly and
privately available contents.
■ FTP Services FTP file servers that provide public and private down-
loading and uploading of files. Examples would be the FTP servers used
by popular download providers at www.downloads.comor
www.tucows.com. FTP is designed for faster file transfer with less over-
head, but does not have all of the special features that are available in
Hypertext Transfer Protocol (HTTP), the protocol used for Web page
transfer.
EXAM WARNING
Remember that FTP has some security issues in that username and pass-
word information is passed in clear text and can easily be sniffed.
■ E-mail Relaying A special e-mail server that acts as a middleman of
sorts. Instead of e-mail passing directly from the source server to the desti-
nation server (or the next hop in the path), it passes through an e-mail
relay that then forwards it. E-mail relays are a double-edged sword and
most security professionals prefer to have this function disabled on all pub-
licly accessible e-mail servers. On the other hand, some companies have
started offering e-mail relaying services to organizations as a means of pro-
viding e-mail security.
www.syngress.com
