Chapter 4 Enhancing Security 53
This allows an organization to provide services to the external network while
protecting the internal network from being compromised by a host in the DMZ. If
someone compromises a DMZ host, he or she cannot connect to the internal network.
The DMZ is often used to connect servers that need to be accessible from the external
network or Internet, such as mail, web, and DNS servers.
Connections from the external network to the DMZ are often controlled using rewalls
and address translation.
You can create a DMZ by conguring your rewall. Each network is connected to a
dierent port on the rewall, called a three-legged rewall setup. This is simple to
implement but creates a single point of failure.
Another approach is to use two rewalls with the DMZ in the middle, connected to
both rewalls, and with one rewall connected to the internal network and the other
to the external network. This is called a screened-subnet rewall.
This setup provides protection in case of rewall misconguration, allowing access
from the external network to the internal network.
VLANs
Mac OS X Server provides 802.1q Virtual Local Area Network (VLAN) support on the
Ethernet ports and secondary PCI gigabit Ethernet cards available or included with
Xserves.
VLAN allows multiple computers on dierent physical LANs to communicate with
each other as if they were on the same LAN. Benets include more ecient network
bandwidth utilization and greater security, because broadcast or multicast trac is
only sent to computers on the common network segment. Xserve VLAN support
conforms to the IEEE 802.1q standard.
MAC Filtering
MAC ltering (or layer 2 address ltering) refers to a security access control where a
network interface’s MAC address, or Ethernet address (the 42-bit address assigned to
each network interface), is used to determine access to the network.
MAC addresses are unique to each card, so using MAC ltering on a network permits
and denies network access to specic devices, rather than to specic users or network
trac types. Individual users are not identied by a MAC address, only a device, so an
authorized person must have an allowed list of devices that he or she would use to
access the network.
