Re: Basic Network Configuration

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2003-10-14 Smith, KC wrote:
> Most LAN configs I've seen include two, separate pieces of hardware to
> define the DMZ.  A firewall on the outside and another firewall or
> policy switch on the inside is usually how I've seen that handled.
>
> My new company uses 3 separate NICs in the same firewall.  One for
> inbound, one for the LAN and one for the DMZ.  Each has it's own
> address block.
>
> It seems like using the firewall to do this makes sense, but I'd
> appreciate some external confirmation on that.

Both implementations have their pros and cons. The 2-firewall-setup has
the advantage that an attacker cannot bypass the DMZ by attacking the
external firewall. You still have a second line of defense between the
world and your LAN. The downside of this setup is the administrative
overhead due to the different firewalls (configuration, patching, etc.).
A 1-firewall-setup is easier to maintain as you have only one system,
but probably not as secure as a 2-firewall-setup. You will have to
estimate whether the gain on security justifies the higher complexity of
two different firewalls.

> The second issue is this: is there a rule of thumb to determine what
> should and should not go in the DMZ vs. the LAN?  It seems to me that
> anything that requires access from outside the network (Ex. DNS
> servers, Mail servers, demo servers, etc.) should go in the DMZ. True?

Yes.

Regards
Ansgar Wiechers

---------------------------------------------------------------------------
----------------------------------------------------------------------------