Re: DMZ - Question



Can't a pix be licensed and support multiple DMZs?

I understand what you are trying to do with 2 FWs, but Dan is right. IMO.

Take a look at the new ASAs. I'll bet you will be more likely to be
approved for redundant Cisco ASAs with all the new security features
built in, before 1 PIX + maint. and 1 VendorX + main. + training +
added complexity.

An ASA is PIX under the hood.

Everyone needs are different though. Good luck.

- Show quoted text -

On 26 Oct 2007 15:41:02 -0000, hol64@xxxxxxxxxxx <hol64@xxxxxxxxxxx> wrote:
I have to setup a DMZ on our network. Our current layout is Internet Router <--> Firewall <--> WAN/LAN Router <--> Servers


The idea is to setup a back-to-back DMZ or Dual Firewall DMZ. So the topology would be like this..

Internet Router --> FW-1 <--> DMZ <--> FW-2 <--> WAN/LAN router.


On the DMZ we will have a Web Server that needs access back to the Mainframe on the LAN, and a Mail server that need access to another mail server on the LAN.


One of my questions is the DMZ is in a /24 subnet and the LAN is on a /16 subnet. Is the only way for the web server in the DMZ to communicate with the inside LAN by NATting in the FW-2. Isn't this creating a double subnet from the outside??


I am working with 2 pix firewalls, and I am hoping to change FW-2 to a different brand that has stateful inspection.




Please Advice,


Thanks,


Pablo




--
-p1g
SnortCP
,,__
o" )~ oink oink
' ' ' '

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke


On 26 Oct 2007 15:41:02 -0000, hol64@xxxxxxxxxxx <hol64@xxxxxxxxxxx> wrote:
I have to setup a DMZ on our network. Our current layout is Internet Router <--> Firewall <--> WAN/LAN Router <--> Servers


The idea is to setup a back-to-back DMZ or Dual Firewall DMZ. So the topology would be like this..

Internet Router --> FW-1 <--> DMZ <--> FW-2 <--> WAN/LAN router.


On the DMZ we will have a Web Server that needs access back to the Mainframe on the LAN, and a Mail server that need access to another mail server on the LAN.


One of my questions is the DMZ is in a /24 subnet and the LAN is on a /16 subnet. Is the only way for the web server in the DMZ to communicate with the inside LAN by NATting in the FW-2. Isn't this creating a double subnet from the outside??


I am working with 2 pix firewalls, and I am hoping to change FW-2 to a different brand that has stateful inspection.




Please Advice,


Thanks,


Pablo



--
-p1g
SnortCP
,,__
o" )~ oink oink
' ' ' '

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke



Relevant Pages

  • RE: Possible method to prevent spread of CodeRed and other simila r wo rms
    ... Restricting tcp/port80 initiated outbound connections from the DMZ is an ... I'll assume you've group your web server objects ... residing in the DMZ (ex. ... The primary reason that I can think of for a web server to initiate Internet ...
    (Incidents)
  • Re: DMZ and file sharing
    ... Never ever use DMZ, a) its an open unlocked door with a big sign saying your ... save/retreive files to/from a restricted area on the LAN. ... and only server. ... You need to consider the safety of the LAN when the web server gets ...
    (microsoft.public.windows.server.sbs)
  • Re: Adding a web server to my network
    ... I have a LAN behind a hardware firewall connecting to the web by DSL. ... I would like to keep my LAN safe from hackers, and my web server safe ... region is called the DMZ, which is where you put your web ...
    (comp.os.linux.misc)
  • RE: DMZ - Question
    ... FW-2 to a different brand that has stateful inspection. ... DMZ to communicate with the inside LAN by NATting in the ... On the DMZ we will have a Web Server that needs access back ...
    (Security-Basics)
  • Re: DMZ Arguments....
    ... A DMZ is used with a firewall, ... link to the rest of the network. ... A common approach for an attacker is to break into a host that's vulnerable ... the case of a web server, unauthenticated and untrusted users might be ...
    (Security-Basics)