Firewall and DMZ topology

From: William J. Burgos (wjburgos_at_white-bear-productions.com)
Date: 06/07/03

  • Next message: David J. Jackson: "RE: Monitoring Tools"
    To: security-basics@securityfocus.com
    Date: 07 Jun 2003 23:06:03 +0900
    
    

    Greetings list,

    I would like to set up a SOHO network with a firewall and DMZ for mostly
    web serving and email. Of course, there are private PCs on the internal
    network, Windows and Linux.

    My connection is a dynamic IP on a pppoe and I already have an old
    laptop used as a simple firewall setup.

    I am considering separating my web and email server to a dedicated
    machine and placing it in a DMZ.

    In searching on the web, I came up with a few topologies and I would
    like to ask the list of their opinion.

    I have sketched out a few scenarios below:

    1. | Internet |-->| Firewall |-->| DMZ |-->| internal network |

    This scenario (1) puts the DMZ between the firewall and internal
    network. I have read that this is insecure as if the DMZ is compromised,
    so will be the internal network. Is this true?

    2. | Internet |-->| Firewall |--->| internal network |
                      | |--->| DMZ |

    This scenario (2) uses three NIC's for the firewall. One for the
    internal network, one for the DMZ and one for the Internet. I have read
    that this is a Three-legged firewall setup. The drawback is that I would
    need three NIC's for the firewall which is now a laptop with only two.

    3. | Internet |-->| DMZ with Firewall |-->| internal network |

    This scenario (3) places the DMZ with the firewall on one box and then
    to the internal network. My concern is if I can secure the DMZ from the
    firewall on one box. Is there a way to secure this setup?

    4. | Internet |-->| DMZ |-->| Firewall |-->| internal network |

    This scenario (4) places the DMZ before the Firewall which leaves it
    open to the Internet. Is there a way to secure this setup?

    I am trying to avoid having to get another box with three NIC's for
    Scenario 2, if possible. However, I would feel safer in a less easy to
    break in setup.

    Any comments or suggestions would be appreciated.

    Thanks in advance.

    William Burgos

    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------


  • Next message: David J. Jackson: "RE: Monitoring Tools"

    Relevant Pages

    • RE: can ping but not browse
      ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
      (Fedora)
    • Re: Using a Linksys router, should I also use Zonealarm?
      ... public internet to access corporate network. ... In the "old days" when people used to use Dial-In instead of VPN you ware ... protected by corporate Firewall -- since there was no public Internet ...
      (microsoft.public.security)
    • RE: Hidden Ports
      ... this is done by the firewalls to prevent authenticated files from being replaced by trojans and connecting to the internet. ... kerio firewall ... or a program that already had network access attempted to ... > Depending on the Access setting for a component, ZoneAlarm Pro ...
      (Security-Basics)
    • Ang: RE: Firewall and DMZ topology
      ... Network Engineer ... Subject: Firewall and DMZ topology ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • RE: 504 Proxy timeout only with SSL traffic
      ... the DMZ network is considered External to the ... this may have an effect when you access the DMZ. ... And can access all other HTTPS sites on the internet? ... that there may be something wrong with the proxy engine on the ISA, ...
      (microsoft.public.isa)