DMZ vs Port Forwarding HTTPS and Firewall rules stricting LAN traffic



  • Hi all.

    Just trying weighing the pros and cons of running a windows file server using some web-based file management system in:

    1 - DMZ

    vs

    2- Port forwarding HTTPS to a Server's static LAN ip and setting up firewall rules in pfsense to deny any traffic other than icmp and https port.

    In my situation the opt port on my VK-T40E was used for a secondary lan so I cant exactly use that for a DMZ.

    I've checked around online and there's two views towards this:

    1. Place it in the DMZ, if it gets compromised it doesn't affect the rest of your network.

    2. Place it in he local network and port forward it. Why? because you should never have things in DMZ unless you really need to.



  • If you are after opinions, in my world anything that's internet-facing automatically goes into a DMZ, no question. If you need access to the server from the LAN, set up the minimum amount of rules required for access and whatever else happens, don't allow Windows share access from the LAN to the DMZ.

    In truth, you might want to consider some non-Windows alternatives if it's just file sharing you want to do (eg: OwnCloud, VSFTPd, etc.) as you'll avoid some licensing costs and you're (arguably) more secure than under a Windows environment.



  • Thanks

    Yeah I was mostly after opinions since it seems people's opinions online go both ways and not sure what might be considered "outdated".
    The software is FileLEAP (some .net based document management system) where the only thing internet facing is http port and accessed locally by http also.
    Thanks for reminding me about OwnCloud. Been meaning to try that out and forgot about it.


Log in to reply