1

We have to move a server from within the firewall to a DMZ (not a true DMZ, but a space that's between 2 firewalls. Is it typically a good idea, when moving a server in this fashion, to stand up another machine with the target IP to test the firewall rules prior to moving the production machine? If not, why not?

Note: These are all VMs so standing up a test box is trivial

cdeszaq
  • 193
  • 1
  • 8
  • 6
    If you have the opportunity to test then you should do so - it's the only way to be sure. – user9517 Apr 04 '13 at 13:24
  • I agree with @Iain. Testing will always be a time/cost/risk tradeoff. You have the ability to test quickly, with no cost, so there's no reason *not* to. – Dan Apr 04 '13 at 13:25
  • 1
    Agree with @Iain too, but your question falls under "this question will likely solicit debate, arguments, polling, or extended discussion". It's really specific to your environment and the particular scenario. – TheCleaner Apr 04 '13 at 13:43

1 Answers1

3

Best practices are to ALWAYS:

  1. Establish a solid plan for the change you are about to make.
  2. Establish a solid plan to REVERSE the change in the event something goes wrong.
    This should include criteria for when you reverse the change.
  3. Test #1 and #2 above
  4. Make your change in accordance with the plan in #1.
    (and if necessary roll it back in accordance with #2.)
  5. Celebrate your success (or drink away the memory of your failure) at the local pub afterwards.

So yes - You should test this (ideally in a dev environment, otherwise by standing up a test machine in production to poke at).
In your case since we're talking about virtual machines you really have NO excuse for not testing. Failure to adequately test will cause you to be ridiculed by your colleagues, and pilloried by your users should something go wrong.

voretaq7
  • 79,879
  • 17
  • 130
  • 214