Re: basic DMZ scheme

From: Devdas Bhagat (devdas@worldgatein.net)
Date: 12/31/01

• Previous message: Nick: "Re: Port Walking"
• Maybe in reply to: irado furioso com tudo: "Re: basic DMZ scheme"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 31 Dec 2001 15:49:09 +0530
From: Devdas Bhagat <devdas@worldgatein.net>
To: security-basics@securityfocus.com

On 28/12/01 17:38 +0500, Roman Serbski wrote:
> Probably this is OT (I'm sorry), but could someone point me to URLs
> where I could find information about DMZ organizing?
> I have main firewall with three NICs, one goes to private LAN, second
> one to DMZ, third one to ISP. Is there any basic document about where to
> place service servers (for example mail, proxy, dhcp, modem pool, etc)
> from the security and efficiency point of view.
Generally, services that you want to offer to the public, but are
important to you , like your website, go into the DMZ.
Stuff that you can ignore, or have to put outside your netowrk firewall
(like a gateway router) is in the public network.

SMTP, you have inbound MX servers in the public network, which drop a
lot of SPAM delivering to internal MX systems which do antivirus
checking and these deliver to Mailbox servers in the private network.
To get your mail, you connect to a pop|imap proxy in the DMZ, which
connects to the appropriate mailbox server and then delivers the mail to
the MUA.

DHCP should probably go in the public network, modem pool for employees
would be in the DMZ (dialup ISPs modem pools go in the public network).

A properly configured proxy running only the proxy services can be
placed in the public network, but you might want to treat it more like
an application layer firewall for your internal network.

Webservers go in the DMZ, accelerating proxies in the public network.

Database servers should be in the internal network.

Hope this helps

Devdas Bhagat

---

• Previous message: Nick: "Re: Port Walking"
• Maybe in reply to: irado furioso com tudo: "Re: basic DMZ scheme"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: Question about DMZ Domain Member and Virus Membership ... test and audit the servers regularly. ... Question about DMZ Domain Member and Virus Membership ... Tailor your education to your own professional goals with degree ... Computer Emergency Response Teams, and Digital Investigations. ... (Security-Basics) RE: antivirus software for DMS computers??? ... Say you're running an Web+FTP server in your DMZ... ... > All of my servers in the DMZ have AV protection. ... > Ethical Hacking at the InfoSec Institute. ... > pen testing experience in our state of the art hacking lab. ... (Security-Basics) Re: internal domain credentials to access DMZ resources ... Create a new forest in DMZ, and let DMZ forest trust LAN forest 1 way. ... join web, NAS, and SQL servers to DMZ forest ... (microsoft.public.windows.server.active_directory) Re: Question about a trust relationship and terminal serices ... one on my internal network and one on a dmz. ... >on to servers in dmz.org. ... the int.org Domain Admins are set as members of the ... > Bob Grabbe ... (microsoft.public.windows.server.active_directory) Re: Domain in ISA2004 dmz ... put services that are needed to 'listen' for incoming internet requests ... DMZ trusts Seattle.Demo but seattle.demo does ... > Would it just be better if we left nothing but the web servers in the dmz ... (microsoft.public.isa)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > security-basics  > 2002-01