[TriLUG] Server Maintenance

[Hite, Danny]

> Well you should be extra careful of anything that is accessible via the
> outside (even by one port).  By blocking both inbound and outbound
> traffic on unused ports and protocols you may save yourself a lot of
> work should someone violate your network.  

> I think its fine to open up some ports to your local subnet, but you
> should definitely limit/justify the number of open ports that are open
> to everybody all the time.

> My approach to security is multi-layered. I like to limit access by
> user, services, groups, and locations. This applies to the internal
> network as well as the DMZ and the external network.

> As an example, user johnq may need access to read the intranet webserver
> from any corporate (or vpn'ed) location, but he only needs write access
> to the testing groups section of the intranet and only while he is
> accessing it from a machine physically located in the testing subnet.

> It seems like a pain in the a** but once your network and groups are
> setup to accommodate this kind of security approach then adding the
> security becomes fairly easy and common place.

> HtH - Jon

The server in the DMZ is actually very locked down. I have only port 80 open
from internal to DMZ so that employees can access the forum as well. No
other ports are opened in either direction. Does that sound good enough?