Re: DMZ - Network topology

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 02/21/03 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Thu, 20 Feb 2003 21:06:38 -0500

"Adie" <a_usenetizen@hotmail.com> wrote in message
news:312a5vkvbkqf3p822ql0407k9u03vjkvi6@4ax.com...

> Hi Jeff, unfortunately I haven t purchased the firewall yet, so reading
> the docs is impossible. Just looking for general information before I make
> an decisions on which way to go about the design.

Well, you're not going to get the best security if you try to design the
firewall with no firewall experience. However, depending on your needs and
your budget, this might be enough security for you. [It might or might not
be enough to prevent hacking, it's hard to say.] Getting help, free or
paid, from someone knowledgeable in the area is helpful. [Note though that
there are plenty of paid consultants that don't know how to set up a
firewall securely either.]

Having said that, different firewalls have different features and use
somewhat different methods for protection. If you are planning to configure
and support this firewall yourself, best try to identify a major firewall
manufacturer that is known for ease of support and configuration... and
probably a good GUI. I might recommend www.netscreen.com 5XP which starts
around $500 US. You'll be hard pressed to find a cheaper firewall than that
that has an acceptable GUI and feature set, unless you go with something
from www.netgear.com or even www.linksys.com If you want to go more
expensive, you could consider a Nortel Contivity switch, Nokia IP device or
something from intrusion.com, which all generally start around $800 to $1200
US. The devices over $500 listed here typically come with VPN for faster
remote access to the office network while out of the office.

If you're a beginner to this and you're the main support for this, I'd
probably stay away from Cisco and Microsoft ISA.

At those prices, though, you're probably not going to get a real DMZ, unless
you buy two of the firewalls. Note that there are two common DMZ setups...
one setup is a single firewall with a third network card that goes to the
isolated DMZ network, and another setup is two firewalls with at least two
network interfaces each, and the DMZ is often the network in between the two
firewalls. However, in each case, the amount of security you have depends
on how well you set up the rules on each firewall. These are probably not
the only two DMZ setups, but it's a start and should be pretty secure.
Getting a firewall with a third network interface for a DMZ usually costs
extra, sometimes a lot extra.

One very inexpensive solution would be to download and try a free linux
firewall that boots off of a boot CD or floppy and runs on an old 486 or 586
computer. The advantage here is that you can afford to do all sorts of
fancy things that would cost a lot with other firewalls, like add a third
network card, have a spare firewall in case of hardware failure, build a
better DMZ using more than one firewall, etc. Even though these are linux,
some of them claim to have an easy to use GUI aimed at home and small office
users. Also, most cities have third party tech support consultants that
should support Linux firewalls, even perhaps allowing 24x7 on-site tech
support, something you won't get typically from other vendors. The
disadvantage is that if something goes wrong, you'd want to know linux.

http://securityadmin.info/faq.htm#firewall

HTH

Relevant Pages

  • Ang: RE: Firewall and DMZ topology
    ... Network Engineer ... Subject: Firewall and DMZ topology ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
    (Security-Basics)
  • Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
    ... part of the same network as the LAN. ... Each interface of a firewall should be distinct from ... interfaces, so a "DMZ interface" is not a requirement. ...
    (comp.security.firewalls)
  • Re: Firewall and DMZ topology
    ... > network, Windows and Linux. ... > laptop used as a simple firewall setup. ... > machine and placing it in a DMZ. ... > internal network, one for the DMZ and one for the Internet. ...
    (Security-Basics)
  • RE: Basic Network Configuration
    ... > IMHO the second rule is void, since no traffic should bypass the DMZ. ... that originates from your internal network. ... There is no point in implementing the same firewall ... >> really achieve this benefit if the boxes run different OS ...
    (Security-Basics)
  • RE: can ping but not browse
    ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
    (Fedora)