DMZ VMWWare server connection to inside network security risk

Hi,
We are thinking to connect DMZ host ( VM Servers)  directly to inside network by putting them into L2 vlan. Waht are pros and cons by doing this way? Appreciate your help.
Thanks

Thanks Julio and Andrew for your comments.
Physicial connections will be as follows;
From DMZ Host ( VM Server) -- One connection to Internal Core Switch (6509)  which will be for DMZ configured as a                                               access port on dmz vlan.
                                          --- One connection Internal Core Switch (6509) which will be for production network configured                                               on production vlan.
Basically moving away from physical separation of DMZ host to utilize the VM servers effectively for DMZ and production. We have to maintain both firewall and network. Except the human error what are the possible risk on this?

Similar Messages

  • Unknown PC server "connected" to the network

    I have a weird problem. I've got one iMac and one MB Pro connected to my wireless network. On the iMac I've just today started getting a PC server showing up under "shared" in the sidebar in Finder. When i try to connect, it says that the connection fails. However, on another device I've got connected to the TV that can play movies and sounds over the network, the same device appears in the "workgroup" when I log in there. When I turn off the iMac, however, that device disappears as well. Somehow, it seems my iMac is running some kind of virtual PC server that I can't connect to..?
    I'm getting really frustrated about this, because it seems to me to be a virus, but it's not possible to trace it. I'd appreciate any insights into this that the community can provide.

    Hello guys,
    More than likely you have nothing to worry about!
    There are all kinds of devices that could be showing up on the sidebar of your Finder... Your DVR or cell phone might even show up there if they are connected to your network (wired or wireless).
    There are several ways to go about finding out what the secret unknown device is...
    1. Check your network for attached devices
    Physically look at what is connected to your network by seeing what is plugged into your router or modem.
    2. Check your router for DHCP clients
    Your router will have some sort of configuration page that you can check from your computer. This will tell you what is attached and communicating with your network wired or wirelessly.
    The DHCP client list shows what devices are getting IP addresses automatically (if assigned manually, they will likely not show up here). The instructions for this are different (but not too different) from router to router. Common brands for routers include Netgear, Linksys, and Apple.
    On an Apple Airport wired and wireless DHCP "clients" are listed separately to find the wired ones go to Advanced > Logging & SNMP > Logs and Statistics > DHCP Clients and to find the wireless ones, look under AirPort > Summary > Wireless Clients. For another brand, you'll have to Google it.
    3. Run a Serious Network Scan with Nmap/Zenmap
    This is almost overkill for trying to find out what is on the sidebar of your Finder - but, nmap is an the best utility for network scanning. It can be downloaded from:
    http://nmap.org/download.html#macosx
    It comes with a graphical interface called Zenmap and a command line tool. Personally, I prefer the command line version but they both work the same. Zenmap does require X11.
    Either way, you can scan your network if you know the IP address of your own computer while it is connected.
    If you need to find your IP address - you can find this by EITHER opening a terminal and typing ifconfig OR by going to System Preferences > Network then choosing your Airport or Ethernet (whichever is connected) and looking for your IP address. It should be in the format ###.###.###.### - common IP subnets include 192.168.1.###, 192.168.0.###, and 10.0.1.### - when you've found your IP address, you can now do an nmap/Zenmap scan for all IPs within your subnet. Not only will this tell you what network devices are attached, but also it will try to detect what type of device and what operating system is being used.
    To find ALL the devices attached to your network, you will have to search the entire range of your subnet - the subnet is the first three groupings of your IP address. For my computer's IP 192.168.1.5 this would be 192.168.1 and since the minimum address for an IP is 1 and the max is 255, I will be searching in the range 192.168.1.1-255 (if my IP was 10.0.1.101 or 10.0.1.5 then I would search 10.0.1.1-255).
    If I'm using Zenmap I will make my target 192.168.1.1-255 and I will choose Quick scan from the profile - just to get an idea of what IPs are in use. 10 seconds later - Presto! A list of all the devices attached to my network.
    Feel free to upload the list here and let me take a look if you have any trouble reading it yourself.
    You can also do a scan by entering the following into the Command field of Zenmap or by running this in the Terminal (please adjust your subnet accordingly):
    nmap -O -sA 192.168.1.1-255
    This will attempt to get more information out of the attached devices, such as, what operating system they may be running.
    Start with that and post back here to let me know what you find.

  • Web form and database security risk

    I'd like to develop an Oracle Form or APEX Form where people don't have to login to use it. Like a registration form on our website, where anyone can fill it out. Ideally, the information entered into the form would be saved to an Oracle table (could use a flat file if database security is an issue). I'm a developer and don't know a lot about the security side.
    I'm thinking we would need a static IP address and an Oracle public password that doesn't expire, since the public doesn't have to login to use the form.
    Is this possible and is it a database or network security risk ?

    An APEX page can certainly be configured to not require authentication (that's pretty standard for the login/ registration page). There is no need for an "Oracle public password." There are accounts in the Oracle database that APEX uses but that no human needs to know the password for. If that's what you mean by "Oracle public password" then, yes, you do. But that would be the case no matter what authentication and authorization scheme you use in APEX.
    A static IP address for your web server is likely a good idea. It's possible to have DNS work with dynamic IP addresses but that's probably not what you want.
    Justin

  • Network Error: Clean Access Server could not establish a secure connection to Clean Access Manager

    Hello everyone
    I am implementing a failover solution of NAC in OOB VG version 4.8, I have 2 CAS and 2 CAM.
    The Error I am getting is when I connect to both IP address and the FQDN of the CAS.
    ===========
    Network Error:
    Clean Access Server could not establish a secure connection to Clean Access Manager at camsrv3.cadivi.gob.ve.
    This could be due to one or more of the following reasons: 1) Clean Access Manager certificate has expired 2) Clean Access Manager certificate cannot be trusted or 3) Clean Access Manager cannot be reached.
    Please report this to your network administrator.
    ==========
    For the CAM's I use this names camsrv1 and camsrv2. then generate a CSR in the camsrv1 with the name camsrv3.mycompany.com corresponding  to virtual ip and it exported to camsrv2, Install the CA certificate of the company and everything works perfect.
    This is the failover configuration
    CAM:
    Primary:     10.1.206.248 camsrv1.mycompany.com
    Secondary: 10.1.206.249 camsrv2.mycompany.com
    Virtual:       10.1.206.250 camsrv3.mycompany.com
    Then I do exactly the same steps for the CAS's and this is the failover configuration:
    Primary:     10.1.216.248 cassrv1.mycompany.com
    Secondary: 10.1.216.249 cassrv2.mycompany.com
    Virtual:       10.1.216.250 cassrv3.mycompany.com
    Then I add the certificate of CAM in the CAS on the tab "Trusted Certificate Authorities"  and vice versa.
    The communication between all the CAM´s and CAS´s is correct (Primary, Secondary and Virtual). I can ping the IP and the FQDN and I can also manage the CAS through the CAM.
    I verify that the time was right in the CAM and the CAS and all good up there.
    Appreciate your help
    Eduardo Navas

    Eduardo,
    Bump up the CAS/CAS communications logging on both the CAS and CAMs, and then look in the log files for clues.
    On CAM they live in /perfigo/control/tomcat/logs and on CAS in /perfigo/access/tomcat/logs
    HTH,
    Faisal
    If you find this post helpful, please rate so others can find the answer easily

  • Network becomes limited or unavailable as soon as i connect to cisco anyconnect secure mobility client, version - 3.1.05170

    Hiee,
    I am using cisco anyconnect secure mobility client, version - 3.1.05170 , in my windows 8.1 PC to access vpn to my office desktop. But as soon as i connect cisco anyconnect client, my wifi networks becomes limited or unavailable. Thus, i am not able to get remote access to my office desktop. And not even able to access any other websites also. But as soon as i disconnect from the cisco anyconnect vpn client, every thing becomes normal, and the exclamation mark from the network icon also disappears.
    kindly help me in this regard.
    Thanks and regards
    Neeraj

    There are a few things to consider here:
    - The IPSec VPN client is EoL, so even if we consider this as a bug, it wouldn't be fixed
    - fixing the file server access would break the DHCP renew which means there is no completely clean way to fix this, at least not at the IP level since the client can't route to the same destination using 2 different paths.
    Is there any chance we could do a static policy NAT for the DHCP traffic so it appears to come from another IP? It's twisted and it may not work (the client might use the DHCP server IP embedded inside the payload and not the source IP) but if it does, then we'd fix the overlap.
    Could the server use another IP address for the DHCP service (much like using a loopback for a certain service on a router?)
    A third solution would be to NAT the destination server IP on the ASA for traffic from the IP pool going to the server. We'd need DNS doctoring as well to resolve the server's name to the NATted IP. This way the server would appear from the VPN client as being at a different IP, thereby fixing the overlap.
    All these potential solutions are quite involved... you may be better off wityh a simpler design: splitting of your server into 2 or using something else to do DHCP for the VPN clients.

  • Clean Access Server could not establish a secure connection

    I have a OOB Real IP GW setup on v4.1.2
    I seem to have a problem with the CAS connecting to the CAM although I have added the CAS to the CAM and can manage the CAS from the CAM.
    I noticed while troubleshooting client authentication that the client was not being redirected to the logon web page and it had full access to the trusted network from the untrusted authentication vlan. I eventually figured out that if I change the CAS Filter Fallback method from Allow to ignore then it tries to authenticate the client. However the fact that the fallback is activated tells you that something is not right.
    I have 2 problems:
    A) The clients web page is redirected for authentication but it only lists the domain name in the URL and not the hostname or host IP. In the lab I do not have a DNS server and it would not help as it does not include the hostname in the URL anyway. How do I fix this or perhaps it's related to the 2nd problem.
    B) When I manually change the URL by replacing the domain name with the IP of the CAS (untrusted OOB Real IP GW) then I get the following error message when logging on:
    Network Error:
    Clean Access Server could not establish a secure connection to Clean Access Manager at mydomain.com.
    This could be due to one or more of the following reasons: 1) Clean Access Manager certificate has expired 2) Clean Access Manager certificate cannot be trusted or 3) Clean Access Manager cannot be reached.
    Please report this to your network administrator.
    I would guess the culprit is No 2 but surely the system can run on self signed certificates? I have an NTP server so time is in sync. I have even tried regenerating the cetificates on the CAM
    & CAS.
    Any ideas?

    To overcome problem B, I regenerated the SSL Certificates using the host IP address instead of the name for all the CAM & CAS appliances. This seems to have resolved this problem.
    I also SSH'd from each of the CAS's to each of the CAM's from the CLI and it then prompts to permanently store the certificates. I'm not sure it this was necessary though.

  • Cannot Connect to App Store / Establish Secure Server Connection

    I've seen a lot of posts on this:
    App Store Error: "Cannot Connect to the App Store" (No Internet Connection)
    Google (or any other https://) Site Error: "Cannot Establish a Secure Server Connection"
    My OS is 10.8.5.
    Obviously, I've checked that I have an internet connection. FireFox works... non-secure (http://) sites work... I'm starting to pull my hair out.
    These are all suggestions from posts that I've seen. Some worked for some people, but not me!
    I've checked that my Date & Time are correct, as suggested.
    I've created a new Network Location in my Network System Prefs. Nope. Didn't help.
    I've gone thru every Certificate in my Utilities / Keychain Access and eliminated all the blue '+'s'.
    I've deleted every *.plist file from my Preferences that I thought might help. Nada. Still no App Store, no Google.
    THEN, a Mac epiphany:
    Go back to Date & Time Preferences
    Under the Date & Time tab - check the box "Set date and time automatically:" (you probably do. I did. But make sure.)
    Under the Time Zone tab - check the box "Set time zone automatically..." AHH HA! I didn't have it checked.
    Now a message comes up - something like, you don't have your Location Services enabled... hmm.
    Go to: System Prefs > Security & Privacy
    Under the Privacy tab - check the box "Enable Location Services" (You may have to unlock [paddlelock in lower left] to make changes)
    That did it. App Store instantly loaded as well as https:// google.
    For those who have tried all the other posted suggestions - before you pull the rest of your hair out - this is one more thing to try.
    Hope it helps.

    Ignore.

  • Network security for EP server

    Hi,
    If i have a portal server which talks to SAPR3 systems how should the network security be achieved, if the portal has to open to internet?
    where all will the firewall come into picture? How many DMZs to be there? Is there any SAP recommendation document on this...any info would be of great help
    regards,
    Sujesh

    Hi Sujesh,
    Normally SAP recommend (on their courses) that you have a reverse proxy in the DMZ, then a firewall, then portal, then a firewall, then backend SAP etc.
    However, it also depends on what you already have network architecture wise.
    Paul

  • HT4199 how do I stop my mac from connecting to a non-secure network in my area instead of my preferred network.

    How do I stop my mac from connecting to a non-secure network in my area instead of my preferred secure network

    Linc's answer is correct but I know it does not always work.
    If security is critical use a wired ethernet connection preferably with a fixed IP and the router's DHCP server turned off.

  • Win7 Pro ws, connected to Active domain network SBS2K8 server, but firewall Public networks - Connected.

    Win7 Pro workstation shows active domain network but firewall thinks it's connected to Public Network. 
    Other Win7 Pro workstations in the same domain have no problems and show the correct Domain Network: Connected in the firewall panel. 
    SBS2K8 server can't see security status of, or offer remote assistance to this ws until it's firewall is disabled. 
    Domain name is correct. Machine IS logged into the domain. User has normal rights / Admin account. Just like everyone else.
    This system has current AV, but disabling it (not uninstalling) makes no difference. All the machine have the same AV.
    Not a wireless network, standard CAT5. Network connectivity appears normal: Access files on server share, browse internet, etc... all just fine.
    Already installed:
    http://support.microsoft.com/kb/2524478
    I've seen 
    http://social.technet.microsoft.com/Forums/en-US/7bce7005-b820-4340-a4c8-68025272d3aa/windows-firewall-falsely-shows-connected-to-public-network-when-my-computer-is-joined-to-domain?forum=w7itprosecurity
    But this is not a virtual machine. It does run the WinXP mode V but this is happening in the regular Win7 OS. 

    Went back to the machine today to check your suggestions, and... now it's correct!
    Hi,
    How many network adapter card do you have of your computer?
    Just the one. A Realtek PCIe GBE
    Check whether the DNS is the correct one you had deployed
    Yes, DNS is set to the 2k8 server IP as primary, and the secondary is OpenDNS. 
    and update the group policy by using this command ”gpupdate /force”.
    Done, didn't appear to log any changes.
    Check the registry key at  “HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName”
    The NetworkName should be the domain name, when you get this done you will get a domain network profile, then restart your computer.
    This key does exist and is the correct domain name.
    More information refer to this article:
    http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx
    I think this is the answer you want.
    Thanks for that. I've read through it and will keep it on file if the problem returns.
    Regards
    v-yamliu

  • Inside network can't access webpage via domian name hosted on inside network web server

    I've just deployed Cisco 1900 series router.
    Configured network with NAT Overload. Everything seems to work fine just one thing that bothers me.. i have web server inside network.. and i can't webpage hosted on that server using www.domainname.com. I can only connect to it via internal IP.
    For now i've sovled this by adding domain name and internal IP of server into hosts file in Windows.
    But I'd like to know if there is any better way to solve this?

    found a solution
    http://tech.jocke.no/2010/09/24/cisco-ios-nat-virtual-interface/

  • I cannot update my ipad2 to ios5.  Updating through iTunes on pc Windows Vista, Error message reads "cannot connect to iPad Software Update Server.  Tried resetting network settings, still not connecting.  Tried updating iTunes, still not connecting.

    I cannot update my ipad2 to ios5.  Updating through iTunes on pc Windows Vista, Error message reads "cannot connect to iPad Software Update Server.  Tried resetting network settings, still not connecting.  Tried updating iTunes, still not connecting.

    Look at iOS Troubleshooting Wi-Fi networks and connections  http://support.apple.com/kb/TS1398
    Additional things to try.
    Try this first. Turn Off your iPad. Then turn Off (disconnect power cord) the wireless router & then back On. Now boot your iPad. Hopefully it will see the WiFi.
    Change the channel on your wireless router. Instructions at http://macintoshhowto.com/advanced/how-to-get-a-good-range-on-your-wireless-netw ork.html
    How to Quickly Fix iPad 3 Wi-Fi Reception Problems
    http://osxdaily.com/2012/03/21/fix-new-ipad-3-wi-fi-reception-problems/
    If none of the above suggestions work, look at this link.
    iPad Wi-Fi Problems: Comprehensive List of Fixes
    http://appletoolbox.com/2010/04/ipad-wi-fi-problems-comprehensive-list-of-fixes/
     Cheers, Tom

  • I'm on an iphone that is no longer connected to the network, using it as an ipod touch. I can't download apps, however... it tells me that there is no secure connection and to update the date and the time. I'm not on a public network though...

    I am using an old iPhone 3 as an iPod touch. It's no longer connected to a network. I am trying to download apps while using a secure internet connection, however, it's not allowing me to do so. The message is gives is: "Cannot Connect to the Store" A secure connection could not be established. Please check your date and time settings."  I'm confused as to how I can fix this. The time seems to be correct, and I'm not using public internet.... Any suggestions??

    The warranty entitles you to complimentary phone support for the first 90 days of ownership.

  • When I enter my password to start my atv it tells me, that "there was a problem connecting to the network."  My Ipad works fine but not my new atv.  I have reset my password multiple times with no help.  I have also rebooted my wireless server.take it bac

    When I enter my password to start my atv it tells me, that "there was a problem connecting to the network."  My Ipad works fine in my house, but not my new atv.  I have reset my password multiple times with no help.  I have also rebooted my wireless server.  Do I take it back?

    Where is everyone????  Does anyone have an answer???
    Allik1

  • I cannot get my iMac with built-in airport to allow internet connections to Nook and PS3. The devices access the network, but internet connection fails. Internet sharing is enabled, network security (WEP, WPA) is completely off.  What to check next?

    I cannot get my iMac with built-in airport wi-fi to allow internet connections to Nook and PS3. The devices access the network, but internet connection fails. Internet sharing is enabled, network security (WEP, WPA) is disabled.  What to check next?

    On an additional note, I've purchased a wireless router and everything connected on the first attempt.  It just vexes me that the built-in wireless isn't working as a router.  Is this another example of "Mac only plays with Mac"?

Maybe you are looking for

  • How do I share several contacts from one iCloud account to another?

    How do I share several contacts from one iCloud account to another iCloud account?

  • Chinese Character Printing in Smartform (Different Question)

    Hi all, Can anyone explain to me further the OSS Note 776507 that Anji Reddy Vangala recently posted?  It involves the preview and printing of different character sets.  Currently I've managed to preview my form correctly, but it still prints out #'s

  • Movieclip wont appear on the scene (AS3)

    Hi, I have one movieClip and a button in my library and I would like to bring them on stage by prog. I right cliked and my movieClip which is named carre_mc and named its class carre_mc and cheked the Export for ActionScript box. this is what I have

  • Combine files

    When I try to Combine Files,and I click on Add Files, Acrobat tells me my psd and InDesign files are unsupported and won't include them. These are the main ones I want to use. What can I do?

  • Can I delete Mail and then reinstall?

    Am a new user with an iPad 2 and with Mail did a sync to bring in my Outlook contacts. Somehow it found some old contact folders too and now have a totally cluttered contacts list! Can I delete Mail and download it and start again? Thanks