NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] If a single firewall with 3 NIC's a considered a DMZ?



Brian,

It's generally a bad idea to have your web servers on the external router
segment like that.  The whole idea of putting the DMZ on a separate
interface of the firewall is to allow you the added granularity in
controlling access to those machines.  Typically, people allow something
like "ANY web-server HTTP/HTTPS Accept" and "web-server backend-db-server
sqlnet Accept" in a scenario like that.  In 90% of the cases I've seen, you
don't need much more than that (unless this is a large B2C type
application.)  Doing so greatly limits the likelyhood of someone doing a
NON HTTP BASED attack against your web servers.....

Hope this helps.

Jason

At 10:04 PM 1/25/01 -0500, Brian Aust wrote:
>
>Okay....  I've got to ask a stupid question here.
>
>I've seen several posts on this thread describing a traditional DMZ as an
>extra NIC or two in the firewall from which DMZ machines branch off.
>
>I've always thought that a DMZ was off the router.  Such as:
>
>            Internet
>                |
>                |
>                |
>          ---Router---
>          |           |
>       Firewall      DMZ boxes
>          |  
>          |
>     Internal LAN
>
>
>Is this also a reasonable DMZ, or is having boxes directly off the router
>generally a no-no?  I've got a hub sitting directly off the router, to which
>i have 3 machines attached in what i consider a DMZ.  Is this reasonable?
>Stupid?
>
>If a DMZ is off a 3rd NIC on the firewall, the firewall software does NO
>protection, correct?  It just passes all traffic to that subnet without
>questions?  Or does it also do some protection of DMZ boxes?
>
>Cheers,
>Brian Aust
>
>-----Original Message-----
>From: Dean Cunningham
>To: '[email protected]'
>Sent: 1/25/01 9:15 PM
>Subject: RE: [FW1] If a single firewall with 3 NIC's a considered a DMZ?
>
>
>Hi Alan,
>Just to extend it a bit, there is no reason to limit your thoughts to
>just
>"a dmz".
>You can have multiple DMZs to keep your paranoia and your security
>policy
>happy :-)
>for example you could decide to put your dialup users in a separate dmz
>to
>limit their access to internal resources and to protected them from
>potentially compromised machines in "the dmz"
>
>                     Internet
>                        |
>                        |
>                      Router
>                        |
>                        |
>Dialup Users -------Firewall ------- Web servers
>                        |
>                        |
>                Internal network
>
>-----Original Message-----
>From: James Edwards [mailto:[email protected]]
>Sent: Friday, 26 January 2001 5:37 AM
>To: 'Allan Pratt'; [email protected]
>Subject: RE: [FW1] If a single firewall with 3 NIC's a considered a DMZ?
>
>
>
>Try this:
>
>Internet
>    |
>    |
>Firewall ------- Web servers
>    |
>    |
>Internal network
>
>
>You wouldn't want your web server and other stuff just hangin out in the
>breeze like your first example and having two firewalls, while more
>secure
>is a lot of overhead.  This way, you use one firewall to control access
>to
>your DMZ from both the inside and outside networks.
>
>This is what I always understood to be the "classic" DMZ layout.
>
>Jim Edwards
>Systems Manager
>Texas Secretary of State
>
>-----Original Message-----
>From: Allan Pratt [mailto:[email protected]]
>Sent: Thursday, January 25, 2001 9:28 AM
>To: [email protected]
>Subject: [FW1] If a single firewall with 3 NIC's a considered a DMZ?
>
>
>
>
>
>Hi,
>
>Please help settle some confusion.
>
>If a single firewall with 3 NIC's a considered a DMZ?
>
>I always thought that a DMZ was:
>
>Internet Access router <=>  web/ftp servers & Bastion host     <=>
>Firewall
>
>or better yet...........
>
>
>Internet Access router <=> Firewall <=>  web/ftp servers & Bastion host
>
><=>  Firewall
>
>
>Please clarify
>
>Thanks.
>
>
>
>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com
>
>
>
>========================================================================
>====
>====
>     To unsubscribe from this mailing list, please see the instructions
>at
>               http://www.checkpoint.com/services/mailing.html
>========================================================================
>====
>====
>
>
>========================================================================
>====
>====
>     To unsubscribe from this mailing list, please see the instructions
>at
>               http://www.checkpoint.com/services/mailing.html
>========================================================================
>====
>====
>***************************************************
>This e-mail is  not an  official  statement of  the
>Waikato  Regional  Council unless otherwise stated.
>Visit our website http://www.ew.govt.nz
>***************************************************
>
>
>========================================================================
>========
>     To unsubscribe from this mailing list, please see the instructions
>at
>               http://www.checkpoint.com/services/mailing.html
>========================================================================
>========
>
>
>===========================================================================
=====
>     To unsubscribe from this mailing list, please see the instructions at
>               http://www.checkpoint.com/services/mailing.html
>===========================================================================
=====
>
>


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.