Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] DMZ advantages

To: "'MARIO MORENO CUERVO'" <[email protected]>, "'[email protected]'" <[email protected]>
Subject: RE: [FW1] DMZ advantages
From: "McCammon, Keith" <[email protected]>
Date: Thu, 21 Jun 2001 16:43:21 -0400
Sender: [email protected]

If you require a publicly available system, I can't think of any reason NOT
to use a DMZ.  But...

The main reason for a DMZ (and perhaps the biggest advantage) is protection
of the LAN and local domains via network-layer segregation.  This is a great
improvement over a typical (slack) setup, in which machines on the local
domain are made public and "secured" by NATing them behind some lame routing
device.  Remember, you can rarely have too much segregation from a security
standpoint.

The only notable disadvantage that I can think of is that, depending on how
much segregation is required, it can be kind of a pain to maintain DMZ
systems.  This especially goes for those that require a lot of updates and
maintenance.  Look into a tunneling system or the like to provide remote
administration, but be careful!

One more: Cost.  It can be costly to set up a hardened DMZ.  However, this
is all relative to the size and complexity of your network.  Typically,
however, you'll want 1) a separate switching device, 2) some type of IDS or
monitor, and 3) a separate firewall tailored to your DMZ systems.  This can
be really cheap, if you can go with Snort, a *BSD box, etc.  However, if you
require certain advanced functionality, you may need Firewall-1, an advanced
IDS, etc.

Keith W. McCammon
Sr. Network Engineer
AdvanceMed Corporation
11710 Plaza America Drive
Reston, VA 20190

-----Original Message-----
From: MARIO MORENO CUERVO [mailto:[email protected]]
Sent: Wednesday, June 20, 2001 9:23 AM
To: '[email protected]'
Subject: [FW1] DMZ advantages



Hello Gurus

We are thinking about to implement a DMZ in our network. Could you please
share your experience (advantages and disadvantages) working with DMZs. 

Thanks a lot for your help.


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] IKE Hybrid :problem for creating certificate
Next by Date: RE: [FW1] Firewall-1 on Redhat 6.2
Previous by thread: RE: [FW1] DMZ advantages
Next by thread: RE: [FW1] DMZ advantages
Index(es):
- Date
- Thread