Security Basics mailing list archives
RE: DMZ design
From: Dave Killion <Dkillion () netscreen com>
Date: Wed, 27 Aug 2003 09:57:19 -0700
Mr. Null, The answer is "Depends" - depends on how much money you want to spend on firewalls. For option 1, don't use a router, use a routing firewall. For option 2, you'll need 2 firewalls one from Internet<->DMZ and one from DMZ<->Private. Option 2 was called "Belt and Suspenders" in the day, when firewalls were slow as heck and were the ChokePoints in your network. With option 2, your 'belt' firewall (between Internet<->DMZ) takes all the pain of an external attack, leaving your private network still free to access the DMZ. Option 1 gives you a single point of failure, unless you build in redundancy into that point. Designing a network option 1 style, and having *every* subnet (Accounting, Marketing, Sales, Engineering, etc) off of the firewall takes the firewall from the border and puts it into the core, enhancing security, but at a cost of potentially bringing down your entire network if that firewall should fail. Today's modern firewalls support multiple zones from a single unit and have higher session tables to handle more traffic. They're also a lot faster, especially if you go for an ASIC-based one. Most have built-in redundancy systems that allow you to put two firewalls in-line in parallel, so if one fails you're still okay. Different people have different ideas on how to make networks more effective or more secure, and in the long run, there's no one right answer. Depending on the product selection, overall intent, and money you have to spend, either design is valid. Good luck with your design. I hope this information is helpful, Dave Killion Senior Security Engineer Security Group, NetScreen Technologies, Inc. -----Original Message----- From: me null [mailto:me_null () hotmail com] Sent: Tuesday, August 26, 2003 10:29 PM To: security-basics () securityfocus com Subject: DMZ design Hello i was hoping someone could answer a couple questions i had bout DMZ design. Speeking from a serurity stand point is it best to have ur DMZ and Internal Network seperated by a router (option 1) or is it better to have ur Internal Net. connect to the internet through the DMZ (option2) all help is appracated thx option 1 internet | DMZ --- router ---- Network option 2 internet -- DMZ --- Network _________________________________________________________________ Get MSN 8 and enjoy automatic e-mail virus protection. http://join.msn.com/?page=features/virus -------------------------------------------------------------------------- - Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com -------------------------------------------------------------------------- --
Attachment:
smime.p7s
Description:
Current thread:
- DMZ design me null (Aug 27)
- RE: DMZ design David Gillett (Aug 27)
- <Possible follow-ups>
- RE: DMZ design Dave Killion (Aug 27)