NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] If a single firewall with 3 NIC's a considered a DMZ?



Brian:

Not a stupid question at all.  This is also a common scenario, but not as
secure.  It's good to understand both options.

I consider a DMZ to be any network where the hosts can be contacted from
the Internet.  These servers generally provide services such as SMTP, HTTP,
FTP, DNS, etc.  Because they can be contacted from the Internet, they are
considered inherently insecure and mission critical data is generally not
kept on them (credit cards, proprietary information, etc.).

If you connect another interface to the firewall, and build a DMZ off of
it, you can absolutely write rules to protect the servers in the DMZ.  If
all you need is incoming HTTP, SMTP and FTP, why not just open up ports 80,
25 and 21, respectively, instead of leaving your unpatched, insecure, fully
loaded Solaris boxes sitting off a router with every port open and service
running, waiting for some 14 year old script kiddie to download the exploit
and hack your box.  You could configure access lists on the router, but now
you've essentially got two filtering devices to manage.  

I think it's better to put the DMZ off an additional interface on the
firewall, and craft rules that limit services into the DMZ.  You can also
add a rule to generate a user defined alert if someone from the DMZ tries
to get into your internal network.  This is a good indication that
something on the DMZ was compromised.

Now the scenario you asked about in your post would make a good honey pot ;-).

Joel

PS, and you saved a few $$$ on a NIC card, but probably not as much as
you'll spend trying to deal with the boxes that suffered a root compromise.



At 10:04 PM 1/25/01 -0500, Brian Aust wrote:
>
>Okay....  I've got to ask a stupid question here.
>
>I've seen several posts on this thread describing a traditional DMZ as an
>extra NIC or two in the firewall from which DMZ machines branch off.
>
>I've always thought that a DMZ was off the router.  Such as:
>
>            Internet
>                |
>                |
>                |
>          ---Router---
>          |           |
>       Firewall      DMZ boxes
>          |  
>          |
>     Internal LAN
>
>
>Is this also a reasonable DMZ, or is having boxes directly off the router
>generally a no-no?  I've got a hub sitting directly off the router, to which
>i have 3 machines attached in what i consider a DMZ.  Is this reasonable?
>Stupid?
>
>If a DMZ is off a 3rd NIC on the firewall, the firewall software does NO
>protection, correct?  It just passes all traffic to that subnet without
>questions?  Or does it also do some protection of DMZ boxes?
>
>Cheers,
>Brian Aust
>
>-----Original Message-----
>From: Dean Cunningham
>To: '[email protected]'
>Sent: 1/25/01 9:15 PM
>Subject: RE: [FW1] If a single firewall with 3 NIC's a considered a DMZ?
>
>
>Hi Alan,
>Just to extend it a bit, there is no reason to limit your thoughts to
>just
>"a dmz".
>You can have multiple DMZs to keep your paranoia and your security
>policy
>happy :-)
>for example you could decide to put your dialup users in a separate dmz
>to
>limit their access to internal resources and to protected them from
>potentially compromised machines in "the dmz"
>
>                     Internet
>                        |
>                        |
>                      Router
>                        |
>                        |
>Dialup Users -------Firewall ------- Web servers
>                        |
>                        |
>                Internal network
>
>-----Original Message-----
>From: James Edwards [mailto:[email protected]]
>Sent: Friday, 26 January 2001 5:37 AM
>To: 'Allan Pratt'; [email protected]
>Subject: RE: [FW1] If a single firewall with 3 NIC's a considered a DMZ?
>
>
>
>Try this:
>
>Internet
>    |
>    |
>Firewall ------- Web servers
>    |
>    |
>Internal network
>
>
>You wouldn't want your web server and other stuff just hangin out in the
>breeze like your first example and having two firewalls, while more
>secure
>is a lot of overhead.  This way, you use one firewall to control access
>to
>your DMZ from both the inside and outside networks.
>
>This is what I always understood to be the "classic" DMZ layout.
>
>Jim Edwards
>Systems Manager
>Texas Secretary of State
>
>-----Original Message-----
>From: Allan Pratt [mailto:[email protected]]
>Sent: Thursday, January 25, 2001 9:28 AM
>To: [email protected]
>Subject: [FW1] If a single firewall with 3 NIC's a considered a DMZ?
>
>
>
>
>
>Hi,
>
>Please help settle some confusion.
>
>If a single firewall with 3 NIC's a considered a DMZ?
>
>I always thought that a DMZ was:
>
>Internet Access router <=>  web/ftp servers & Bastion host     <=>
>Firewall
>
>or better yet...........
>
>
>Internet Access router <=> Firewall <=>  web/ftp servers & Bastion host
>
><=>  Firewall
>
>
>Please clarify
>
>Thanks.
>
>
>
>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com
>
>
>
>========================================================================
>====
>====
>     To unsubscribe from this mailing list, please see the instructions
>at
>               http://www.checkpoint.com/services/mailing.html
>========================================================================
>====
>====
>
>
>========================================================================
>====
>====
>     To unsubscribe from this mailing list, please see the instructions
>at
>               http://www.checkpoint.com/services/mailing.html
>========================================================================
>====
>====
>***************************************************
>This e-mail is  not an  official  statement of  the
>Waikato  Regional  Council unless otherwise stated.
>Visit our website http://www.ew.govt.nz
>***************************************************
>
>
>========================================================================
>========
>     To unsubscribe from this mailing list, please see the instructions
>at
>               http://www.checkpoint.com/services/mailing.html
>========================================================================
>========
>
>
>===========================================================================
=====
>     To unsubscribe from this mailing list, please see the instructions at
>               http://www.checkpoint.com/services/mailing.html
>===========================================================================
=====
>
>


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.