Security Basics mailing list archives

RE: Basic Network Configuration

From: "Stuart" <secmail () patchsupplier dyndns org>
Date: Wed, 15 Oct 2003 00:44:53 +0100

Hello, 
Yes, mail servers, web servers, ftp etc are your DMZ buddies. The one
firewall with 3 interfaces provides the logical topology of the
firewall> dmz> firewall> lan  layout but physically it does not. One
thing I do not understand by doing this is security, if the firewall is
compromised it does not matter DMZ or not the lan can be accessed, but
from a firewall>dmz>firewall>lan phyiscal layout this would be far
difficult especially if the other firewall is from a different vendor as
the same exploit would not work twice :). I think the true 'standard'
for a DMZ is to not have the servers themselves talking to the lan which
your solution currently does the job of doing. Does anyone have any info
regarding a true DMZ definition?

Hth,
Stu

-----Original Message-----
From: Smith, KC [mailto:ksmith () systemsalliance com] 
Sent: 14 October 2003 17:40
To: security-basics () securityfocus com
Subject: Basic Network Configuration


All,

Okay I know this is truly a basic question, but this is after all the
"security-BASICS" list!

Most LAN configs I've seen include two, separate pieces of hardware to
define the DMZ.  A firewall on the outside and another firewall or
policy switch on the inside is usually how I've seen that handled.

My new company uses 3 separate NICs in the same firewall.  One for
inbound, one for the LAN and one for the DMZ.  Each has it's own address
block.

It seems like using the firewall to do this makes sense, but I'd
appreciate some external confirmation on that.

The second issue is this: is there a rule of thumb to determine what
should and should not go in the DMZ vs. the LAN?  It seems to me that
anything that requires access from outside the network (Ex. DNS servers,
Mail servers, demo servers, etc.) should go in the DMZ.  True?

Thanks in advance.
KC Smith


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----





---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Basic Network Configuration Smith, KC (Oct 14)
- Re: Basic Network Configuration Neal K. Groothuis (Oct 15)
- RE: Basic Network Configuration Stuart (Oct 15)
- Re: Basic Network Configuration cc (Oct 15)
- Re: Basic Network Configuration Anders Reed-Mohn (Oct 15)
- Re: Basic Network Configuration DRAx (Oct 15)
- Re: Basic Network Configuration Ansgar -59cobalt- Wiechers (Oct 15)
- Re: Basic Network Configuration Valter Santos (Oct 15)
- RE: Basic Network Configuration David Gillett (Oct 15)
  - Re: Basic Network Configuration DRAx (Oct 16)
    - RE: Basic Network Configuration David Gillett (Oct 16)
    - Re: Basic Network Configuration DRAx (Oct 16)
  - Re: Basic Network Configuration Ansgar -59cobalt- Wiechers (Oct 16)

(Thread continues...)