Security Basics mailing list archives
Re: Firewall and DMZ topology
From: Christopher Ingram <cmi () crystalsands net>
Date: Mon, 09 Jun 2003 16:44:42 -0400
That would me more secure than some of the options presented, although the first firewall could reside on the DMZ. The point, however, is that even though the DMZ is isolated from the internal network (things like file sharing between workstations is protected) should the DMZ be compromised, all traffic moving between the internal network and the outside is sniffable. This includes e-mails, web site passwords, etc.
So, the below setup is not decent for a corporate LAN. Ideally, the DMZ should sit on a seperate connection to the Internet from the rest of the network, using a different ISP and therefore, different IP block. This provides the most isolation.
So to recap, seperate uplinks is the best solution for security.Splitting a single uplink with a hardware router is #2, as it is generally VERY difficult to compromise an SOHO hardware router in a way that would gain additional access to the internal network.
A single firewall + router with 3 NICs is #3, or #2 in a corporate setting.
On Monday, June 9, 2003, at 04:11 PM, Erik Vincent wrote:
So according to your answer,Internet | -->| Firewall |-->| DMZ |-->| Firewall |-->| Internal networkShould be a more secure option. Is it good enough for a corporate LAN? Christopher Ingram wrote:On Saturday, June 7, 2003, at 10:06 AM, William J. Burgos wrote:Greetings list,I would like to set up a SOHO network with a firewall and DMZ for mostly web serving and email. Of course, there are private PCs on the internalnetwork, Windows and Linux. My connection is a dynamic IP on a pppoe and I already have an old laptop used as a simple firewall setup. I am considering separating my web and email server to a dedicated machine and placing it in a DMZ. In searching on the web, I came up with a few topologies and I would like to ask the list of their opinion. I have sketched out a few scenarios below: 1. | Internet |-->| Firewall |-->| DMZ |-->| internal network | This scenario (1) puts the DMZ between the firewall and internalnetwork. I have read that this is insecure as if the DMZ is compromised,so will be the internal network. Is this true? 2. | Internet |-->| Firewall |--->| internal network | | |--->| DMZ | This scenario (2) uses three NIC's for the firewall. One for theinternal network, one for the DMZ and one for the Internet. I have read that this is a Three-legged firewall setup. The drawback is that I wouldneed three NIC's for the firewall which is now a laptop with only two. 3. | Internet |-->| DMZ with Firewall |-->| internal network | This scenario (3) places the DMZ with the firewall on one box and thento the internal network. My concern is if I can secure the DMZ from thefirewall on one box. Is there a way to secure this setup? 4. | Internet |-->| DMZ |-->| Firewall |-->| internal network | This scenario (4) places the DMZ before the Firewall which leaves it open to the Internet. Is there a way to secure this setup? I am trying to avoid having to get another box with three NIC's for Scenario 2, if possible. However, I would feel safer in a less easy to break in setup. Any comments or suggestions would be appreciated. Thanks in advance. William Burgos ---------------------------------------------------------------------------Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare.Find out why, and see how you can get plug-n-play secure remote access inabout an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------William,I would strongly reccomend going with the 3 NIC setup. If not, you can always purchase a cheap hardware router and use clever allocation of your IP addresses.Internet -> Router -> DMZ -> Firewall (NAT?) -> WorkstationsKeep in mind that if you use any of the scenarios where the DMZ is inline with the firewall and your internal network, compromising one will yield easy access to the others. Well, at least the ability to sniff traffic between your internal network and the Internet or the DMZ. The point of a DMZ is to completely isolate it from the rest of your network. Using an inline setup makes expanding access in the even of a security breach easier.---------------------------------------------------------------------------Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare.Find out why, and see how you can get plug-n-play secure remote access inabout an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
--------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare.Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
Current thread:
- Firewall and DMZ topology William J. Burgos (Jun 09)
- RE: Firewall and DMZ topology Des Ward (Jun 09)
- Re: Firewall and DMZ topology Christopher Ingram (Jun 09)
- Re: Firewall and DMZ topology Erik Vincent (Jun 09)
- Re: Firewall and DMZ topology Christopher Ingram (Jun 09)
- Re: Firewall and DMZ topology Erik Vincent (Jun 09)
- Re: Firewall and DMZ topology Brad Mills (Jun 10)
- Re: Firewall and DMZ topology - Thanks for all the information William J. Burgos (Jun 11)
- <Possible follow-ups>
- RE: Firewall and DMZ topology Mann, Bobby (Jun 09)
- RE: Firewall and DMZ topology ed (Jun 10)
- Re: Firewall and DMZ topology Erik Vincent (Jun 10)
- Re: Firewall and DMZ topology Daniel B. Cid (Jun 10)
- RE: Firewall and DMZ topology ed (Jun 10)
- Re: Firewall and DMZ topology Chris Berry (Jun 10)
- RE: Firewall and DMZ topology David Gillett (Jun 10)
- Re: Firewall and DMZ topology Erik Vincent (Jun 10)
- Re: Firewall and DMZ topology Zach Crowell (Jun 10)