Re: Firewall and DMZ topology

• Previous message: Vic Parat (NSS): "Re: URL Scan - allowing asp scripts"
• In reply to: William J. Burgos: "Firewall and DMZ topology"
• Next in thread: Erik Vincent: "Re: Firewall and DMZ topology"
• Reply: Erik Vincent: "Re: Firewall and DMZ topology"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 09 Jun 2003 12:49:56 -0400
To: security-basics@securityfocus.com

On Saturday, June 7, 2003, at 10:06 AM, William J. Burgos wrote:

> Greetings list,
>
> I would like to set up a SOHO network with a firewall and DMZ for mostly
> web serving and email. Of course, there are private PCs on the internal
> network, Windows and Linux.
>
> My connection is a dynamic IP on a pppoe and I already have an old
> laptop used as a simple firewall setup.
>
> I am considering separating my web and email server to a dedicated
> machine and placing it in a DMZ.
>
> In searching on the web, I came up with a few topologies and I would
> like to ask the list of their opinion.
>
> I have sketched out a few scenarios below:
>
> 1. | Internet |-->| Firewall |-->| DMZ |-->| internal network |
>
> This scenario (1) puts the DMZ between the firewall and internal
> network. I have read that this is insecure as if the DMZ is compromised,
> so will be the internal network. Is this true?
>
> 2. | Internet |-->| Firewall |--->| internal network |
> | |--->| DMZ |
>
> This scenario (2) uses three NIC's for the firewall. One for the
> internal network, one for the DMZ and one for the Internet. I have read
> that this is a Three-legged firewall setup. The drawback is that I would
> need three NIC's for the firewall which is now a laptop with only two.
>
> 3. | Internet |-->| DMZ with Firewall |-->| internal network |
>
> This scenario (3) places the DMZ with the firewall on one box and then
> to the internal network. My concern is if I can secure the DMZ from the
> firewall on one box. Is there a way to secure this setup?
>
> 4. | Internet |-->| DMZ |-->| Firewall |-->| internal network |
>
> This scenario (4) places the DMZ before the Firewall which leaves it
> open to the Internet. Is there a way to secure this setup?
>
> I am trying to avoid having to get another box with three NIC's for
> Scenario 2, if possible. However, I would feel safer in a less easy to
> break in setup.
>
> Any comments or suggestions would be appreciated.
>
> Thanks in advance.
>
> William Burgos
>
>
> ---------------------------------------------------------------------------
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
> analysts!
> The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in marketshare.
>
> Find out why, and see how you can get plug-n-play secure remote access
> in
> about an hour, with no client, server changes, or ongoing maintenance.
>
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> ----------------------------------------------------------------------------

William,
I would strongly reccomend going with the 3 NIC setup. If not, you can
always purchase a cheap hardware router and use clever allocation of
your IP addresses.

Internet -> Router -> DMZ
                    -> Firewall (NAT?) -> Workstations

Keep in mind that if you use any of the scenarios where the DMZ is
inline with the firewall and your internal network, compromising one
will yield easy access to the others. Well, at least the ability to
sniff traffic between your internal network and the Internet or the DMZ.
The point of a DMZ is to completely isolate it from the rest of your
network. Using an inline setup makes expanding access in the even of a
security breach easier.

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

• Previous message: Vic Parat (NSS): "Re: URL Scan - allowing asp scripts"
• In reply to: William J. Burgos: "Firewall and DMZ topology"
• Next in thread: Erik Vincent: "Re: Firewall and DMZ topology"
• Reply: Erik Vincent: "Re: Firewall and DMZ topology"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Ang: RE: Firewall and DMZ topology ... Network Engineer ... Subject: Firewall and DMZ topology ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ... (Security-Basics) Re: Lets talk about firewalls - what do we as a group think a firewall should be/have? ... part of the same network as the LAN. ... Each interface of a firewall should be distinct from ... interfaces, so a "DMZ interface" is not a requirement. ... (comp.security.firewalls) RE: Basic Network Configuration ... > IMHO the second rule is void, since no traffic should bypass the DMZ. ... that originates from your internal network. ... There is no point in implementing the same firewall ... >> really achieve this benefit if the boxes run different OS ... (Security-Basics) Re: [fw-wiz] Rationale of the great DMZ ... >DMZ and its implied security has changed. ... Network activity wouldn't ... >necessarily begin from the DMZ and be tunneled in to the internal network. ... >Commonly SSL accelerators terminate the SSL end point prior to the ... (Firewall-Wizards) RE: Proxy & Firewall Implementation ... Put a firewall between your internal network and the DMZ which allows ... DMZ servers to the gills. ... (Security-Basics)