Re: DMZ

From: Patrick Morris (pmorris@wilshire.com)
Date: 01/16/02


Date: Tue, 15 Jan 2002 19:39:40 -0800
From: Patrick Morris <pmorris@wilshire.com>
To: Carol Wood <cwood@sysplan.com>

If I may throw in my two cents -- your consultant doesn't understand
what a DMZ does. The purpose of a DMZ is to isolate your
publically-accessible servers (web servers, mail, and the like) from
those machines you don't want anyone from the outside ever getting
into. A properly-configured DMZ is probably the best thing you can
do, security-wise, to protect the internal machines the public has no
business poking around in. It helps ensure that, should one of those
accessible machines be compromised, the attacker can't then just jump
to any machine he wants -- his reach is limited only to the other
machines on the DMZ. Without a DMZ, those internal machines would be
wide open to attacks once someone gets into, for example, your
webserver.

I have no idea what he would mean by telling you using RFC1918
addresses somehow means more machines in your DMZ. That's simply not
the case. If you have a NAT-capable firewall routing between three
interfaces (your inside net, your outside net, and your DMZ), no
additional hosts are required in your DMZ. I'm not sure what he was
thinking you'd need there.

Where were you considering NAT? For just the internal machines, or
for the DMZ as well? Security-wise, there are pros and cons to both
approaches... depending on what you're going to put in your DMZ,
though, and what will be doing the NATting, you might want to consider
subnetting your ISP-provided space into a couple subnets: one for the
outside link (which ideally would only consist of a router and your
firewall), and another subnet for your DMZ. I would highly recommend
RFC1918 (non-routable) space for your internal net, regardless of what
your consultant (whose knowledge I can't say I'd put much weight in)
has told you.

Carol Wood wrote:

> I have a consultant that does not recommend a DMZ -
> - he says it does not translate to added security. He
> says that a firewall is all you need.

> I also was interested in using non-routed IP
> addresses and his response is that this will result in
> too many machines required in the DMZ = less
> security overall.



Relevant Pages

  • Re: Standard DMZ set-up
    ... Some people don't like to open up things via NAT to their internal ... would only be able to impact other machines in the DMZ. ... then the whole internal network could ...
    (comp.security.firewalls)
  • Re: Firewall and Mailserver questions - suggestions wanted.
    ... > I am thinking of getting two firewalls, and having a DMZ ... minimum installed on the outer firewall -- that's what they ... anything that requires user logins should be on an "insecure" ... and secure machines disallow all logins except ...
    (Debian-User)
  • Re: Outbound ports
    ... > the resource need) (or inbound for the DMZ). ... For a real network firewall, you are correct, it's a good idea to ... all applications installed on all user machines... ... I have a management machine which pings all servers ...
    (comp.security.firewalls)
  • Re: Is a DMZ necessary?
    ... >> the server to a) be compromised from the internal machines... ... whether your server is in the DMZ or the Internal zone. ... raw internet feed. ...
    (comp.security.firewalls)
  • Re: Webhosting Network Question
    ... have a DMZ, since you're bypassing it. ... would you want the machines to have NICs on the internal LAN? ... >> AS) to host a website for internet clients. ...
    (microsoft.public.inetserver.iis.security)