Re: DMZ

From: Patrick Morris (pmorris@wilshire.com)
Date: 01/16/02


Date: Tue, 15 Jan 2002 19:39:40 -0800
From: Patrick Morris <pmorris@wilshire.com>
To: Carol Wood <cwood@sysplan.com>

If I may throw in my two cents -- your consultant doesn't understand
what a DMZ does. The purpose of a DMZ is to isolate your
publically-accessible servers (web servers, mail, and the like) from
those machines you don't want anyone from the outside ever getting
into. A properly-configured DMZ is probably the best thing you can
do, security-wise, to protect the internal machines the public has no
business poking around in. It helps ensure that, should one of those
accessible machines be compromised, the attacker can't then just jump
to any machine he wants -- his reach is limited only to the other
machines on the DMZ. Without a DMZ, those internal machines would be
wide open to attacks once someone gets into, for example, your
webserver.

I have no idea what he would mean by telling you using RFC1918
addresses somehow means more machines in your DMZ. That's simply not
the case. If you have a NAT-capable firewall routing between three
interfaces (your inside net, your outside net, and your DMZ), no
additional hosts are required in your DMZ. I'm not sure what he was
thinking you'd need there.

Where were you considering NAT? For just the internal machines, or
for the DMZ as well? Security-wise, there are pros and cons to both
approaches... depending on what you're going to put in your DMZ,
though, and what will be doing the NATting, you might want to consider
subnetting your ISP-provided space into a couple subnets: one for the
outside link (which ideally would only consist of a router and your
firewall), and another subnet for your DMZ. I would highly recommend
RFC1918 (non-routable) space for your internal net, regardless of what
your consultant (whose knowledge I can't say I'd put much weight in)
has told you.

Carol Wood wrote:

> I have a consultant that does not recommend a DMZ -
> - he says it does not translate to added security. He
> says that a firewall is all you need.

> I also was interested in using non-routed IP
> addresses and his response is that this will result in
> too many machines required in the DMZ = less
> security overall.