My client’s network security person is setting up their new website in a DMZ for security. This makes total sense to me. However, she proceeded to say that it’s a best practice that the company employees not be able to access the site internally. For example, to check if the site was up, she suggested they use their phone.
Is this a new thing? Does it even make sense? I’ve never heard of not allowing company employees to access the company website over their internal network before. I’m not a security person, I’m a developer, so if this is right on the money please let me know, it just seemed unusual to me.
Is this a best practice that companies are implementing now? Is it the advised way to go?
Any information is greatly appreciated. I’m just confused and a little stunned.
Thanks!
They should be blocking the windows domain, directory services and unused ports from the inside network but should allow the necessary web ports for management. The purpose of the dmz is to protect your internal network from the public server, not the other way around. You shouldn’t have to the network security guy that the risk is too low to justify the extra costs associated with monitoring the server from the outside. If your security guy has any experience in network security he’ll know that this is standard practice. If not, take it to management and tell them that you need them to pay for another internet connection to monitor your servers or ask the security guy to make 1 access list change in his firewall.