[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] DMZ advantages
If you require a publicly available system, I can't think of any reason NOT to use a DMZ. But... The main reason for a DMZ (and perhaps the biggest advantage) is protection of the LAN and local domains via network-layer segregation. This is a great improvement over a typical (slack) setup, in which machines on the local domain are made public and "secured" by NATing them behind some lame routing device. Remember, you can rarely have too much segregation from a security standpoint. The only notable disadvantage that I can think of is that, depending on how much segregation is required, it can be kind of a pain to maintain DMZ systems. This especially goes for those that require a lot of updates and maintenance. Look into a tunneling system or the like to provide remote administration, but be careful! One more: Cost. It can be costly to set up a hardened DMZ. However, this is all relative to the size and complexity of your network. Typically, however, you'll want 1) a separate switching device, 2) some type of IDS or monitor, and 3) a separate firewall tailored to your DMZ systems. This can be really cheap, if you can go with Snort, a *BSD box, etc. However, if you require certain advanced functionality, you may need Firewall-1, an advanced IDS, etc. Keith W. McCammon Sr. Network Engineer AdvanceMed Corporation 11710 Plaza America Drive Reston, VA 20190 -----Original Message----- From: MARIO MORENO CUERVO [mailto:[email protected]] Sent: Wednesday, June 20, 2001 9:23 AM To: '[email protected]' Subject: [FW1] DMZ advantages Hello Gurus We are thinking about to implement a DMZ in our network. Could you please share your experience (advantages and disadvantages) working with DMZs. Thanks a lot for your help. ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|