Re: DMZ (De-militarized Zone)

From: Wolfgang Kueter (wolfgang_at_shconnect.de)
Date: 12/01/03 

Date: Mon, 01 Dec 2003 15:12:18 +0100

Arman wrote:

> I am prepared to create a DMZ network for all my testings and also a
> Safe zone for my file servers and so on! Currently inside our office
> there are several computers connected to a hub and then through a
> Cisco 800 series router which gets configured by our ISP!

So why the hell don't you discuss everything concerning network architecture
with your ISP?

> This router
> is capable of DMZ but it only has one cable port which is useless to
> me because the whole idea of DMZ is to create two seprate networks
> where the two can not talk to each other! Money is not exactly an
> issue here, but maximum security is my main concideration,

Fine, hire a skilled security consultant and pay him.

> so throw the best options at me as well as the cheap solutions too :P

Nobody can tell unless he knows the enviroment and the requirements
completely.

> I would like to know your suggestions on whether im better of going
> ahead with hardware firewall (Cisco Routers for example)

There are no hardware firewalls except wirecutters.

> which is
> caplable of DMZ the extra ports to seprate my DMZ from my safe zone or
> i should go ahead with Software Firewalls (Dedicate a Linux pc with a
> firewall software and 3 NIC) to used instead of a Router/Firewall?

Depends. Depends also wheter packet-filtering is considered enough or
proxies are required. Nobody knows since nobody knows the environment.

> I
> know that if i use the software firewall solution then i dont have to
> do anything to my router or get the ISP guys to configure anything for
> me so thats another plus for the Software solution!

Wrong, though configuring packet-filtering on the router might not be
neccessary by the ISP, the ISP probably has to change some routing table
entriess.

> if You think hardware firewall/router is the way to go plz tell me what
> brands or types are good for a medium size company?

Depends on what the person configuring the stuff knows best.

> and also what softwares for the PC if thats what you think i should do?

Depends on what the person configuring the stuff knows best.

Wolfgang 

-- 
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980

Relevant Pages

  • RE: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip)
    ... I wouldn't expect the ISP to provide this service for nothing - some ISPs ... purchase and manage an additional filtering router. ... two-brain rule (where at least two people are involved in a firewall change ... use up precious customer bandwidth. ...
    (Incidents)
  • RE: [fw-wiz] Query regarding Cisco Router
    ... as well as router to firewall interface can use ... is dynamic_objects) with the new set of IPs from the second ISP. ... I have connected Firewall behind it. ... Both ISP are told to put DNS entries of others IP in their DNS Server. ...
    (Firewall-Wizards)
  • Re: Load-balancing across four T1s on 2 routers
    ... since you have everything redundant (2 routers from an ISP + ... switches + firewall with failover) why ONE ISP? ... switch will then see 2 UN-equal cost default routes in its routing ... lose a T1 - you lose the "whole" router because of OSPF. ...
    (comp.dcom.sys.cisco)
  • FW: iptables anti-nimda anyone?
    ... border router but your pipe from your ISP is still going to get the traffic. ... ISP to filter the packets before they get into your Internet pipe. ... Then you next configure your firewall to do all the rest of the suggestions ...
    (Focus-Linux)
  • Re: Hardware vs Software
    ... if this single layer of protection was working as well as ... NGs all the time who have AV and software firewalls ... >> router protecting against malignant content on ... And obviously a firewall will protect ...
    (microsoft.public.security.virus)