RE: DMZ

From: Terry (terry@goantiques.com)
Date: 01/16/02 

From: "Terry" <terry@goantiques.com>
To: "Carol Wood" <cwood@sysplan.com>, <focus-ms@securityfocus.com>
Date: Tue, 15 Jan 2002 19:46:38 -0500

So, you've got an internal network consisting of workstations and 1 or more
webservers in 2 locations. Im not sure how ure setup in each location as far
as allowing internet access from within (im guessing some sort of
proxy/firewall) but heres one suggestion:

Locations 1 and 2:

                |
                |
                |
                |
        eth1 (To outside internet/uplink to ISPs T1 router/cable/dsl )
|---------------------------------|
| DMZ machine: |
| Firewall/Router/Port forwarding |
| |
|_________________________________|
        eth2 (to internal network)
                |
                |
                |
                |
                |
                |
        | Hub or Switch |
                |
                |
                |

|---- Internal network using non routed IP's ----|
| |
| |---------------| |---------------| |
| | Workstation 1 | | Workstation 2 | |
| |_______________| |_______________| |
| |
| |---------------| |---------------| |
| | Workstation 3 | | Workstation 4 | |
| |_______________| |_______________| |
| |
| |-------------| |------------| |
| |Web Server 1 | |Web Server 2| |
| |_____________| |____________| |
| |
| |
| |-------------| |
| |DHCP Server | |
| |_____________| |
| |
| |
|________________________________________________|

As you can see, all traffic whether its going in or out HAS to pass through
the DMZ. You can also open
up specific ports (say for 80) and have them go directly to the webserver
using the private address (192.168.1.x)
This means that no connection can possibly have access to your local web
server OR workstations unless you allow it.
(via port forwarding). The only machine that is vulnerable to probes attacks
or other undesirables would be your DMZ machine which means you can harden
this machine to your hearts content. It is the only one that carries a
remotely accessible IP address. (As an added convenience, you could stick a
dhcp server on your internal network to dispense out the 192.x.x.x addys, so
that you dont have to configure them by hand. No worries there! the dhcp
requests wont escape your local network).

As you can see, contrary to what your consultant seems to think, this is a
very secure type of setup as it ensures traffic flows through one and ONLY
one pathway. Internal biz critical machines and workstations cant be routed
to from the outside. Not sure what he means by too many machines required in
the dmz. The DMZ i described above only uses the one. Everything else is
behind it using private range addresses. FYI i have a similiar setup running
linux as my DMZ machine and miscelleneous Win2k, Winnt and even a few winxp
boxes in the internal network (Wont run that sucker any other way believe
me!) The only ports that are being forwarded are 80, 22, and 110 to allow
web ssh and mail traffic respectively.

I hope this helps and goes along the lines of what you're trying to
accomplish. I can provide more specific details if necessary.

-Terry Jordan
Systems Administrator

http:://www.goantiques.com

-----Original Message-----
From: Carol Wood [mailto:cwood@sysplan.com]
Sent: Tuesday, January 15, 2002 5:24 PM
To: focus-ms@securityfocus.com
Subject: DMZ

This is somewhat in line with Andrew Langton's
email...
I run a mostly Microsoft NT 4.0 network with some
Linux servers. We have two locations connected by
a T1, 3 NT Domains. Simple little network. We do
host a few web sites as well.
However, we are going to be switching ISPs and I
want to redesign our network. Help me understand
the DMZ config.
I have a consultant that does not recommend a DMZ -
- he says it does not translate to added security. He
says that a firewall is all you need.
I also was interested in using non-routed IP
addresses and his response is that this will result in
too many machines required in the DMZ = less
security overall.
So IF YOU were going to redesign your network, what
would YOU do?

I appreciate any constructive feedback and
suggestions that you may have. Thanks in advance
for your help!!!

Carol P. Wood
Director of IT
System Planning Corporation

Relevant Pages

  • Re: [fw-wiz] Rationale of the great DMZ
    ... >DMZ and its implied security has changed. ... Network activity wouldn't ... >necessarily begin from the DMZ and be tunneled in to the internal network. ... >Commonly SSL accelerators terminate the SSL end point prior to the ...
    (Firewall-Wizards)
  • Re: Firewall and DMZ topology
    ... > network, Windows and Linux. ... > laptop used as a simple firewall setup. ... > machine and placing it in a DMZ. ... > internal network, one for the DMZ and one for the Internet. ...
    (Security-Basics)
  • Re: Firewall and DMZ topology
    ... >> I would like to set up a SOHO network with a firewall and DMZ for mostly ... >> machine and placing it in a DMZ. ... >> internal network, one for the DMZ and one for the Internet. ... >> The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
    (Security-Basics)
  • Re: Not able to connect to rdc.
    ... Win XP Pro and I have setup the computer allowing remote desktop connection. ... from local/external network without any problem but recently.. ... Nothing changed and the dmz is still pointing to the desktop. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Issue connecting through firewall using jdbc connector.
    ... Web applicationin DMZ ... SQL Server on internal network ... Not a solution for us, though, since the web master has set up a Microsoft network within the DMZ. ...
    (microsoft.public.sqlserver.jdbcdriver)