[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] If a single firewall with 3 NIC's a considered a DMZ?
There is never any black and white here just shades of grey. The setup you described I consider a DMZ In my case the features I would want for the router would be: Block outgoing connections initiated from the DMZ machines Log all access attempts to the DMZ machines Allow only the ports I want into the DMZ (e.g. ftp http https and not SunRPC) Alerts on partcular ports that may indicate DOS attacks If the router can do that then i'd use one. In my case an additional nic is far cheaper than the difference between a 2 and 3 port router Downside, if I take the firwall out then my public web servers are out You can apply all the FW1 rules to the IP addresses off the additional NICs regards Dean -----Original Message----- From: Brian Aust [mailto:[email protected]] Sent: Friday, 26 January 2001 4:05 PM To: Dean Cunningham; ''[email protected]' ' Subject: RE: [FW1] If a single firewall with 3 NIC's a considered a DMZ? Okay.... I've got to ask a stupid question here. I've seen several posts on this thread describing a traditional DMZ as an extra NIC or two in the firewall from which DMZ machines branch off. I've always thought that a DMZ was off the router. Such as: Internet | | | ---Router--- | | Firewall DMZ boxes | | Internal LAN Is this also a reasonable DMZ, or is having boxes directly off the router generally a no-no? I've got a hub sitting directly off the router, to which i have 3 machines attached in what i consider a DMZ. Is this reasonable? Stupid? If a DMZ is off a 3rd NIC on the firewall, the firewall software does NO protection, correct? It just passes all traffic to that subnet without questions? Or does it also do some protection of DMZ boxes? Cheers, Brian Aust -----Original Message----- From: Dean Cunningham To: '[email protected]' Sent: 1/25/01 9:15 PM Subject: RE: [FW1] If a single firewall with 3 NIC's a considered a DMZ? Hi Alan, Just to extend it a bit, there is no reason to limit your thoughts to just "a dmz". You can have multiple DMZs to keep your paranoia and your security policy happy :-) for example you could decide to put your dialup users in a separate dmz to limit their access to internal resources and to protected them from potentially compromised machines in "the dmz" Internet | | Router | | Dialup Users -------Firewall ------- Web servers | | Internal network -----Original Message----- From: James Edwards [mailto:[email protected]] Sent: Friday, 26 January 2001 5:37 AM To: 'Allan Pratt'; [email protected] Subject: RE: [FW1] If a single firewall with 3 NIC's a considered a DMZ? Try this: Internet | | Firewall ------- Web servers | | Internal network You wouldn't want your web server and other stuff just hangin out in the breeze like your first example and having two firewalls, while more secure is a lot of overhead. This way, you use one firewall to control access to your DMZ from both the inside and outside networks. This is what I always understood to be the "classic" DMZ layout. Jim Edwards Systems Manager Texas Secretary of State -----Original Message----- From: Allan Pratt [mailto:[email protected]] Sent: Thursday, January 25, 2001 9:28 AM To: [email protected] Subject: [FW1] If a single firewall with 3 NIC's a considered a DMZ? Hi, Please help settle some confusion. If a single firewall with 3 NIC's a considered a DMZ? I always thought that a DMZ was: Internet Access router <=> web/ftp servers & Bastion host <=> Firewall or better yet........... Internet Access router <=> Firewall <=> web/ftp servers & Bastion host <=> Firewall Please clarify Thanks. _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com ======================================================================== ==== ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ======================================================================== ==== ==== ======================================================================== ==== ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ======================================================================== ==== ==== *************************************************** This e-mail is not an official statement of the Waikato Regional Council unless otherwise stated. Visit our website http://www.ew.govt.nz *************************************************** ======================================================================== ======== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ======================================================================== ======== *************************************************** This e-mail is not an official statement of the Waikato Regional Council unless otherwise stated. Visit our website http://www.ew.govt.nz *************************************************** ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|