Re: Firewall and DMZ topology

["Daniel B. Cid" <danielcid () yahoo com br>]

The proxy server cannot be inside the DMZ. You will only  want to have
public servers on it. This setup is very good, but in some cases (low
money) the NIC2 can be the same as NIC1. 

>         Internet <-> (NIC 3) Firewall (NIC1)   <->  Fireawll / Proxy 
> server <- LAN
>                                                        (NIC 2)  <->  DMZ
 
But what will happen if the attacker break both firewalls ? Is the
same question that you gave me before... We are not supposing that the
firewall will be broken ... generally people use the same firewall in
all the places.

[]`s

Daniel B. Cid


> On Tue, 2003-06-10 at 14:14, Erik Vincent wrote:
> see below..
>
> Daniel B. Cid wrote:
>
> > There are many reasons. The first of all, in this situation:
> >
> >  
> >
> > > internet -->  Firewall --> LAN
> > >                             --> DMZ
> > >    
> >
> > You need to pass  through you LAN to access the DMZ ... I dont need
> > to say anithing more. The purpose of a DMZ is to isolate the public
> > servers from outside the LAN. If someone hacks the DMZ will not be
> > able to access the LAN.
> >
> >  
> >
> > > internet --> Outer Firewall --> DMZ --> Inner Firewall --> LAN
> > >    
> >
> > In this other situation you  need to pass through the DMZ to access the
> > LAN, so all conections from the LAN to the INTERNET will pass in the
> > DMZ.. if someone compromise the DMZ will be able to snif the conections
> > to the internet and a lot of other things ...
>
>         So is this should be a better setup
>         Internet <-> (NIC 3) Firewall (NIC1)   <->  Fireawll / Proxy 
> server <- LAN
>                                                        (NIC 2)  <->  DMZ
>
>        Because if you put the proxy server in the DMZ, you still have 
> the same sniffing problem.
>         If you only accept connection from the LAN to the Proxy 
> server.......
>
>         If you don't put the second firewall, what happend if the outer 
> firewall get crack?
>
>
> > ->The "real" purpose of a DMZ is to isolate your public servers, nothing
> > more.
> >
> > []`s
> >
> > Daniel B. Cid
> >
> >
> >  
> >
> > > On Mon, 2003-06-09 at 20:53, Chris Berry wrote:
> > >    
> > >
> > > > From: Christopher Ingram <cmi () crystalsands net>
> > > > So, the below setup is not decent for a corporate LAN. Ideally, the DMZ 
> > > > should sit on a seperate connection to the Internet from the rest of the 
> > > > network, using a different ISP and therefore, different IP block. This 
> > > > provides the most isolation.
> > > >      
> > > I'm afraid I don't see how that:
> > >
> > > internet --> Firewall --> Lan
> > >
> > > internet --> Firewall --> DMZ
> > >
> > > would be any more secure than this:
> > >
> > > internet --> Outer Firewall --> DMZ --> Inner Firewall --> LAN
> > >
> > > or this:
> > >
> > > internet -->  Firewall --> LAN
> > >                             --> DMZ
> > >
> > > which are the setups that I've seen.  Can you give some 
> > > justification/explanation on why you think that would be better?
> > >
> > > Chris Berry
> > > compjma () hotmail com
> > > Systems Administrator
> > > JM Associates
> > >
> > > "All I want is a few minutes alone with the source code for the universe and 
> > > a quick recompile."
> > >
> > > _________________________________________________________________
> > > STOP MORE SPAM with the new MSN 8 and get 2 months FREE*  
> > > http://join.msn.com/?page=features/junkmail
> > >
> > >
> > > ---------------------------------------------------------------------------
> > > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
> > > The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> > > while InStat has confirmed Neoteris as the leader in marketshare.
> > >     
> > > Find out why, and see how you can get plug-n-play secure remote access in
> > > about an hour, with no client, server changes, or ongoing maintenance.
> > >          
> > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> > > ----------------------------------------------------------------------------
> > >    
> >
> >
> >
> >
> > ---------------------------------------------------------------------------
> > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
> > The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> > while InStat has confirmed Neoteris as the leader in marketshare.
> >     
> > Find out why, and see how you can get plug-n-play secure remote access in
> > about an hour, with no client, server changes, or ongoing maintenance.
> >          
> > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> > ----------------------------------------------------------------------------
> >
> >  



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------