Re: DMZ (De-militarized Zone)

From: Arman (arman_legend_at_hotmail.com)
Date: 12/02/03 

Date: 1 Dec 2003 16:47:38 -0800

It seems like our friend Wolfgang Kueter has not understood what i
want! I dont want you to come and tell me, ok do this do that. I also
know that i can hire someone to come in and look at my situation.
Obviousely our friend Wolfgang Kueter is missing the point that im
spending this time here writing this msg so i learn something, instead
of getting someone to come in and do job for me! Dude if your going to
reply make sure you have something to suggest not question someone's
intelegence! More than anything I want suggestions, i wanna know if
using a FreeBSD FW is going to benfit our business more than one of
these Cisco router/fw for instance. I guess i can explain our network
abit more for Wolfgang Kueter:

        Internet
         (ISP)
           I
           I
           I
    Cisco 827 Router
           I
           I
           I
        OUR HUB
-------------------------
I I I I
I I I I
I I I I
PC1 PC2 PC3 PC4
(Obviousely we have more PCs and Servers than that but to make the
matter more simple this basic diagram can represent the network
situation). As i said our Cisco router has no extra interface/port for
DMZ. Usually the DMZ capable routers have LAN,WAN & DMZ, like the one
Hensen had Suggested (Sonic Wall Pro100) Thanx Hensen btw. Therefore
it leaves us two options.

1. to buy a router/Firewall with DMZ capabilities.
2. Leave the router the way it is and use a linux FreeBSD FW

Again the question is what are your opinions on the two different
options i have above. I also wanna make sure that the right dinifition
of DMZ is what i think, which is to use a Router/FW (Hardware
Solution) or a PC Firewall (Software Solution) Which then is going to
Physically devide my current network into a De-militarized Zone and a
Safe Zone! There is no point in discussing this if my understanding is
wrong and useless in terms of what i want to achieve which is to
protect our important PCs and servers... etc. Please advise me if im
missing something here.

Wolfgang Kueter <wolfgang@shconnect.de> wrote in message news:<bqfi83$f1m$1@news.shlink.de>...
> Arman wrote:
>
> > I am prepared to create a DMZ network for all my testings and also a
> > Safe zone for my file servers and so on! Currently inside our office
> > there are several computers connected to a hub and then through a
> > Cisco 800 series router which gets configured by our ISP!
>
> So why the hell don't you discuss everything concerning network architecture
> with your ISP?
>
> > This router
> > is capable of DMZ but it only has one cable port which is useless to
> > me because the whole idea of DMZ is to create two seprate networks
> > where the two can not talk to each other! Money is not exactly an
> > issue here, but maximum security is my main concideration,
>
> Fine, hire a skilled security consultant and pay him.
>
> > so throw the best options at me as well as the cheap solutions too :P
>
> Nobody can tell unless he knows the enviroment and the requirements
> completely.
>
> > I would like to know your suggestions on whether im better of going
> > ahead with hardware firewall (Cisco Routers for example)
>
> There are no hardware firewalls except wirecutters.
>
> > which is
> > caplable of DMZ the extra ports to seprate my DMZ from my safe zone or
> > i should go ahead with Software Firewalls (Dedicate a Linux pc with a
> > firewall software and 3 NIC) to used instead of a Router/Firewall?
>
> Depends. Depends also wheter packet-filtering is considered enough or
> proxies are required. Nobody knows since nobody knows the environment.
>
> > I
> > know that if i use the software firewall solution then i dont have to
> > do anything to my router or get the ISP guys to configure anything for
> > me so thats another plus for the Software solution!
>
> Wrong, though configuring packet-filtering on the router might not be
> neccessary by the ISP, the ISP probably has to change some routing table
> entriess.
>
> > if You think hardware firewall/router is the way to go plz tell me what
> > brands or types are good for a medium size company?
>
> Depends on what the person configuring the stuff knows best.
>
> > and also what softwares for the PC if thats what you think i should do?
>
> Depends on what the person configuring the stuff knows best.
>
> Wolfgang

Relevant Pages

  • Re: tcp/ip routing question / router design
    ... The first answer is to get an additional $50 cheapo router. ... Since you want a DMZ, I see that you DO have additional computers to hook ... If your DSL router supports trunking, which I am doubting, you can ... and only one network card is provided. ...
    (Security-Basics)
  • Re: DMZ Question
    ... I understand that putting a computer in a router's DMZ exposes its ports to the ... >> network segment, with a router connecting that subnet directly to the office LAN ... >receive unsolicited network traffic from the internetNOTE: Although the DMZplus computer appears ...
    (microsoft.public.windowsxp.network_web)
  • Re: I dont understand this
    ... any routers between XP and ISA. ... between DMZ and external networks in Shinder's lab scenario? ... In the lab network that we're using for the examples in this section, ... table entry for your DMZ segment's subnetted block on your router ...
    (microsoft.public.isa)
  • Re: DMZ (De-militarized Zone)
    ... > I am prepared to create a DMZ network for all my testings and also a ... > Cisco 800 series router which gets configured by our ISP! ... > is capable of DMZ but it only has one cable port which is useless to ... > firewall software and 3 NIC) to used instead of a Router/Firewall? ...
    (comp.security.firewalls)
  • Re: NetMeeting Through a NAT Router?
    ... The recommended strategy is to use the dmz feature of the router -- that ... forwards all unsolicited traffic so the number of redirected ports is ... > Windows firewall is disabled but I am running Kerio Personal Firewall, ... Presumably these are calls made to the wan IP of the router? ...
    (microsoft.public.internet.netmeeting)