Re: Firewall and DMZ topology

From: Aaron Fisher (aaron-fisher_at_iinet.net.au)
Date: 06/11/03

  • Next message: William J. Burgos: "Re: Firewall and DMZ topology - Thanks for all the information"
    Date: Wed, 11 Jun 2003 10:42:48 +0800
    To: security-basics@securityfocus.com
    
    

    After seeing this topic go on for some time why not have a router with 2
    network interfaces one interface you would have your firewall and then
    internal LAN

                                    <> Firewall <> LAN
     internet <> router
                                    <> Firewall <> DMZ

    The other would have your firewall and then DMZ. You can then deny all
    traffic with a source add from the DMZ going to a dest of your LAN. This
    still wouldnt stop traffic originally coming from the LAN as im assuming
    you would be using NAT so the source address would be the routers
    external interface and it was initiated by the LAN. Hopefully this
    sugestion makes sense however routers with 2 10/100 network ports can be
    rather expensive.

    Anyways thats my 2cents

    Aaron

    Des Ward wrote:

    >The first one does not have to use two separate firewalls, just have an
    >extra NIC to segment the LAN and DMZ.
    >
    >You bottom two examples are as follows:
    >
    >The first one is far too complex and was how I thought a DMZ was supposed to
    >be until I realised that it just wasn't needed.
    >
    >The second means that all traffic has to traverse your LAN to get to the
    >'Unprotected' DMZ systems and also could leave your internal LAN open to
    >attack.
    >
    >The main thing to remember is that the DMZ is designed to be accessible to
    >the outside world. You do want this segmented from the rest of the LAN in
    >the easiest way possible.
    >
    >Just my .002667 cents worth (After converting from the BRITISH and not
    >ENGLISH pound)
    >
    >-----Original Message-----
    >From: Chris Berry [mailto:compjma@hotmail.com]
    >Sent: 10 June 2003 01:53
    >To: security-basics@securityfocus.com
    >Subject: Re: Firewall and DMZ topology
    >
    >
    >
    >>From: Christopher Ingram <cmi@crystalsands.net>
    >>So, the below setup is not decent for a corporate LAN. Ideally, the DMZ
    >>should sit on a seperate connection to the Internet from the rest of the
    >>network, using a different ISP and therefore, different IP block. This
    >>provides the most isolation.
    >>
    >>
    >
    >I'm afraid I don't see how that:
    >
    >internet --> Firewall --> Lan
    >
    >internet --> Firewall --> DMZ
    >
    >would be any more secure than this:
    >
    >internet --> Outer Firewall --> DMZ --> Inner Firewall --> LAN
    >
    >or this:
    >
    >internet --> Firewall --> LAN
    > --> DMZ
    >
    >which are the setups that I've seen. Can you give some
    >justification/explanation on why you think that would be better?
    >
    >Chris Berry
    >compjma@hotmail.com
    >Systems Administrator
    >JM Associates
    >
    >"All I want is a few minutes alone with the source code for the universe and
    >
    >a quick recompile."
    >
    >_________________________________________________________________
    >STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
    >http://join.msn.com/?page=features/junkmail
    >
    >
    >---------------------------------------------------------------------------
    >Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    >The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    >while InStat has confirmed Neoteris as the leader in marketshare.
    >
    >Find out why, and see how you can get plug-n-play secure remote access in
    >about an hour, with no client, server changes, or ongoing maintenance.
    >
    >Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    >----------------------------------------------------------------------------
    >
    >
    >---------------------------------------------------------------------------
    >Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    >The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    >while InStat has confirmed Neoteris as the leader in marketshare.
    >
    >Find out why, and see how you can get plug-n-play secure remote access in
    >about an hour, with no client, server changes, or ongoing maintenance.
    >
    >Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    >----------------------------------------------------------------------------
    >
    >
    >
    >
    >

    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------


  • Next message: William J. Burgos: "Re: Firewall and DMZ topology - Thanks for all the information"

    Relevant Pages

    • Re: Firewall and DMZ topology
      ... attacker cannot spread his influence across the network. ... If the DMZ resides between the public Internet and the ... Should the DMZ be behind the LAN and not split off at the firewall, ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • Re: DMZ / Firewall question
      ... Have a Netgear DSL modem/router with a DMZ port. ... LAN side of the router has a number of XP PCs. ...
      (microsoft.public.windowsxp.network_web)
    • RE: Firewall and DMZ topology
      ... Subject: Firewall and DMZ topology ... Should the DMZ be behind the LAN and not split off at the firewall, ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • Re: ipfw - accessing DMZ from LAN
      ... I have set up a new router for my network, with separated DMZ zone for my ... Router with 4 NICs: ... public IP for computers in my LAN. ... My ipfw firewall script looks as follows: ...
      (freebsd-net)
    • RE: Firewall and DMZ topology
      ... Subject: Firewall and DMZ topology ... Also, when I say firewall, I mean Router + Firewall. ... Should the DMZ be behind the LAN and not split off at the firewall, ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)