Re: Firewall and DMZ topology
From: Erik Vincent (evincent_at_ndexsystems.com)
Date: 06/09/03
- Previous message: Brad Mills: "Re: Firewall configuration statistics"
- In reply to: Christopher Ingram: "Re: Firewall and DMZ topology"
- Next in thread: Christopher Ingram: "Re: Firewall and DMZ topology"
- Reply: Christopher Ingram: "Re: Firewall and DMZ topology"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 09 Jun 2003 16:11:55 -0400 To: Christopher Ingram <cmi@crystalsands.net>
So according to your answer,
Internet | -->| Firewall |-->| DMZ |-->| Firewall |-->| Internal
network
Should be a more secure option.
Is it good enough for a corporate LAN?
Christopher Ingram wrote:
>
> On Saturday, June 7, 2003, at 10:06 AM, William J. Burgos wrote:
>
>> Greetings list,
>>
>> I would like to set up a SOHO network with a firewall and DMZ for mostly
>> web serving and email. Of course, there are private PCs on the internal
>> network, Windows and Linux.
>>
>> My connection is a dynamic IP on a pppoe and I already have an old
>> laptop used as a simple firewall setup.
>>
>> I am considering separating my web and email server to a dedicated
>> machine and placing it in a DMZ.
>>
>> In searching on the web, I came up with a few topologies and I would
>> like to ask the list of their opinion.
>>
>> I have sketched out a few scenarios below:
>>
>> 1. | Internet |-->| Firewall |-->| DMZ |-->| internal network |
>>
>> This scenario (1) puts the DMZ between the firewall and internal
>> network. I have read that this is insecure as if the DMZ is compromised,
>> so will be the internal network. Is this true?
>>
>> 2. | Internet |-->| Firewall |--->| internal network |
>> | |--->| DMZ |
>>
>> This scenario (2) uses three NIC's for the firewall. One for the
>> internal network, one for the DMZ and one for the Internet. I have read
>> that this is a Three-legged firewall setup. The drawback is that I would
>> need three NIC's for the firewall which is now a laptop with only two.
>>
>> 3. | Internet |-->| DMZ with Firewall |-->| internal network |
>>
>> This scenario (3) places the DMZ with the firewall on one box and then
>> to the internal network. My concern is if I can secure the DMZ from the
>> firewall on one box. Is there a way to secure this setup?
>>
>> 4. | Internet |-->| DMZ |-->| Firewall |-->| internal network |
>>
>> This scenario (4) places the DMZ before the Firewall which leaves it
>> open to the Internet. Is there a way to secure this setup?
>>
>> I am trying to avoid having to get another box with three NIC's for
>> Scenario 2, if possible. However, I would feel safer in a less easy to
>> break in setup.
>>
>> Any comments or suggestions would be appreciated.
>>
>> Thanks in advance.
>>
>> William Burgos
>>
>>
>> ---------------------------------------------------------------------------
>> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
>> analysts!
>> The Gartner Group just put Neoteris in the top of its Magic Quadrant,
>> while InStat has confirmed Neoteris as the leader in marketshare.
>>
>> Find out why, and see how you can get plug-n-play secure remote
>> access in
>> about an hour, with no client, server changes, or ongoing maintenance.
>>
>> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
>> ----------------------------------------------------------------------------
>
>
> William,
> I would strongly reccomend going with the 3 NIC setup. If not, you can
> always purchase a cheap hardware router and use clever allocation of
> your IP addresses.
>
> Internet -> Router -> DMZ
> -> Firewall (NAT?) -> Workstations
>
> Keep in mind that if you use any of the scenarios where the DMZ is
> inline with the firewall and your internal network, compromising one
> will yield easy access to the others. Well, at least the ability to
> sniff traffic between your internal network and the Internet or the
> DMZ. The point of a DMZ is to completely isolate it from the rest of
> your network. Using an inline setup makes expanding access in the even
> of a security breach easier.
>
>
> ---------------------------------------------------------------------------
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
> The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in marketshare.
> Find out why, and see how you can get plug-n-play secure remote
> access in
> about an hour, with no client, server changes, or ongoing maintenance.
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> ----------------------------------------------------------------------------
>
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
- Previous message: Brad Mills: "Re: Firewall configuration statistics"
- In reply to: Christopher Ingram: "Re: Firewall and DMZ topology"
- Next in thread: Christopher Ingram: "Re: Firewall and DMZ topology"
- Reply: Christopher Ingram: "Re: Firewall and DMZ topology"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
