RE: Basic Network Configuration
From: Stuart (secmail_at_patchsupplier.dyndns.org)
Date: 10/15/03
- Previous message: Neal K. Groothuis: "Re: Basic Network Configuration"
- In reply to: Smith, KC: "Basic Network Configuration"
- Next in thread: cc: "Re: Basic Network Configuration"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Smith, KC'" <ksmith@systemsalliance.com>, <security-basics@securityfocus.com> Date: Wed, 15 Oct 2003 00:44:53 +0100
Hello,
Yes, mail servers, web servers, ftp etc are your DMZ buddies. The one
firewall with 3 interfaces provides the logical topology of the
firewall> dmz> firewall> lan layout but physically it does not. One
thing I do not understand by doing this is security, if the firewall is
compromised it does not matter DMZ or not the lan can be accessed, but
from a firewall>dmz>firewall>lan phyiscal layout this would be far
difficult especially if the other firewall is from a different vendor as
the same exploit would not work twice :). I think the true 'standard'
for a DMZ is to not have the servers themselves talking to the lan which
your solution currently does the job of doing. Does anyone have any info
regarding a true DMZ definition?
Hth,
Stu
-----Original Message-----
From: Smith, KC [mailto:ksmith@systemsalliance.com]
Sent: 14 October 2003 17:40
To: security-basics@securityfocus.com
Subject: Basic Network Configuration
All,
Okay I know this is truly a basic question, but this is after all the
"security-BASICS" list!
Most LAN configs I've seen include two, separate pieces of hardware to
define the DMZ. A firewall on the outside and another firewall or
policy switch on the inside is usually how I've seen that handled.
My new company uses 3 separate NICs in the same firewall. One for
inbound, one for the LAN and one for the DMZ. Each has it's own address
block.
It seems like using the firewall to do this makes sense, but I'd
appreciate some external confirmation on that.
The second issue is this: is there a rule of thumb to determine what
should and should not go in the DMZ vs. the LAN? It seems to me that
anything that requires access from outside the network (Ex. DNS servers,
Mail servers, demo servers, etc.) should go in the DMZ. True?
Thanks in advance.
KC Smith
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
- Previous message: Neal K. Groothuis: "Re: Basic Network Configuration"
- In reply to: Smith, KC: "Basic Network Configuration"
- Next in thread: cc: "Re: Basic Network Configuration"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
