Re: DMZ - Question

On the DMZ we will have a Web Server that needs access back to the
Mainframe on the LAN, and a Mail server that need access to another
mail server on the LAN.

Bad idea. You don't want hosts in the DMZ to be able to establish
connections into the LAN. That would be breaking the concept of a DMZ
(allow connections from a network with higher security level to a
network with lower security level, but not vice versa).

There are several ways to deal with this problem, e.g. replicate the
information from the servers into the DMZ, use bastion hosts, or put
the servers from the LAN into a second DMZ.

Don't take general rules too far.

You don't want connections from the outside connecting directly to
systems on the inside at all.

Specific systems in the DMZ accessing specific systems/services on the
LAN is normal and acceptable. Trying too hard to stick to this
general rule usually results in worse systems (replication impacting
integrity, additional complexity impacting availability, etc).

These DMZ systems should be minimized and hardened so in effect they
are the bastion host.

In some environments you would want additional segmentation on the
LAN, but it's probably not realistic or a good idea to move your
mainframe into a DMZ.

PIXs do stateful inspection.

The web server needs to have access to a mainframe. How would you
increase security if not with a DMZ?

You can do this well with one PIX - If I were you and had 2 PIX's I'd
use the other one for redundancy.

Internet Router --> PIX <--> WAN/LAN router. <---> LAN <---MainFrame
|
DMZ
|
Web Server

You can put Inet -> DMZ and DMZ -> LAN ACL's on the PIX - Logically
doing what you were doing with the two PIXs

There could be some value in sticking with 2 firewalls if they were
different vendors/technologies, but again, you need to be careful here
too. If your firewall admins are good at PIX and you throw something
they don't know into the mix you could easily be worse off.

As far as the NAT goes - I think generally you NAT/PAT to the outside
from the inside or the DMZ and "no NAT" between the inside and DMZ/DMZ
and inside so that is just routing.

Relevant Pages

  • Re: 2 NICs Configuration Problem
    ... Servers on the DMZ are public, ... provides NAT for the LAN machines, allowing them to reach the Internet ... effectively bypassing firewall filtering to that server. ... Ethernet adapter Server Local Area Connection: ...
    (microsoft.public.windows.server.networking)
  • Re: samba backup through firewall
    ... >the local lan then someone who got into the web/mail server could utilize ... This sounds as if you are running the mail server on some windoze platform ... "Outsiders" should have the most limited access to hosts ... in the DMZ - to get files, web pages, etc. ...
    (alt.computer.security)
  • Re: Groklaws "Bias" and the SCO DDoS Attack
    ... >on the same local LAN your office machines are you can congest that ... routers, with port 80 redirected to a web server on the LAN side. ... I've also used Sonicwall DMZ routers. ...
    (comp.unix.sco.misc)
  • Re: Hosting, in or out?
    ... proprietary SQL based application is the core of the business. ... A new requirement calls for a report only server, ... SBS LAN is called PRIVATE or LAN ... Web LAN is called RESTRICTED or DMZ ...
    (microsoft.public.windows.server.sbs)
  • Re: Firewall and DMZ topology
    ... attacker cannot spread his influence across the network. ... If the DMZ resides between the public Internet and the ... Should the DMZ be behind the LAN and not split off at the firewall, ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
    (Security-Basics)