[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] If a single firewall with 3 NIC's a considered a DMZ?
Brian, It's generally a bad idea to have your web servers on the external router segment like that. The whole idea of putting the DMZ on a separate interface of the firewall is to allow you the added granularity in controlling access to those machines. Typically, people allow something like "ANY web-server HTTP/HTTPS Accept" and "web-server backend-db-server sqlnet Accept" in a scenario like that. In 90% of the cases I've seen, you don't need much more than that (unless this is a large B2C type application.) Doing so greatly limits the likelyhood of someone doing a NON HTTP BASED attack against your web servers..... Hope this helps. Jason At 10:04 PM 1/25/01 -0500, Brian Aust wrote: > >Okay.... I've got to ask a stupid question here. > >I've seen several posts on this thread describing a traditional DMZ as an >extra NIC or two in the firewall from which DMZ machines branch off. > >I've always thought that a DMZ was off the router. Such as: > > Internet > | > | > | > ---Router--- > | | > Firewall DMZ boxes > | > | > Internal LAN > > >Is this also a reasonable DMZ, or is having boxes directly off the router >generally a no-no? I've got a hub sitting directly off the router, to which >i have 3 machines attached in what i consider a DMZ. Is this reasonable? >Stupid? > >If a DMZ is off a 3rd NIC on the firewall, the firewall software does NO >protection, correct? It just passes all traffic to that subnet without >questions? Or does it also do some protection of DMZ boxes? > >Cheers, >Brian Aust > >-----Original Message----- >From: Dean Cunningham >To: '[email protected]' >Sent: 1/25/01 9:15 PM >Subject: RE: [FW1] If a single firewall with 3 NIC's a considered a DMZ? > > >Hi Alan, >Just to extend it a bit, there is no reason to limit your thoughts to >just >"a dmz". >You can have multiple DMZs to keep your paranoia and your security >policy >happy :-) >for example you could decide to put your dialup users in a separate dmz >to >limit their access to internal resources and to protected them from >potentially compromised machines in "the dmz" > > Internet > | > | > Router > | > | >Dialup Users -------Firewall ------- Web servers > | > | > Internal network > >-----Original Message----- >From: James Edwards [mailto:[email protected]] >Sent: Friday, 26 January 2001 5:37 AM >To: 'Allan Pratt'; [email protected] >Subject: RE: [FW1] If a single firewall with 3 NIC's a considered a DMZ? > > > >Try this: > >Internet > | > | >Firewall ------- Web servers > | > | >Internal network > > >You wouldn't want your web server and other stuff just hangin out in the >breeze like your first example and having two firewalls, while more >secure >is a lot of overhead. This way, you use one firewall to control access >to >your DMZ from both the inside and outside networks. > >This is what I always understood to be the "classic" DMZ layout. > >Jim Edwards >Systems Manager >Texas Secretary of State > >-----Original Message----- >From: Allan Pratt [mailto:[email protected]] >Sent: Thursday, January 25, 2001 9:28 AM >To: [email protected] >Subject: [FW1] If a single firewall with 3 NIC's a considered a DMZ? > > > > > >Hi, > >Please help settle some confusion. > >If a single firewall with 3 NIC's a considered a DMZ? > >I always thought that a DMZ was: > >Internet Access router <=> web/ftp servers & Bastion host <=> >Firewall > >or better yet........... > > >Internet Access router <=> Firewall <=> web/ftp servers & Bastion host > ><=> Firewall > > >Please clarify > >Thanks. > > > > >_________________________________________________________________ >Get your FREE download of MSN Explorer at http://explorer.msn.com > > > >======================================================================== >==== >==== > To unsubscribe from this mailing list, please see the instructions >at > http://www.checkpoint.com/services/mailing.html >======================================================================== >==== >==== > > >======================================================================== >==== >==== > To unsubscribe from this mailing list, please see the instructions >at > http://www.checkpoint.com/services/mailing.html >======================================================================== >==== >==== >*************************************************** >This e-mail is not an official statement of the >Waikato Regional Council unless otherwise stated. >Visit our website http://www.ew.govt.nz >*************************************************** > > >======================================================================== >======== > To unsubscribe from this mailing list, please see the instructions >at > http://www.checkpoint.com/services/mailing.html >======================================================================== >======== > > >=========================================================================== ===== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html >=========================================================================== ===== > > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|