DMZ best practices

["Perry, David" <perry () timpo osd mil>]

Some firewall implementations allow for an additional interface to be
used as a DMZ.  Does implementing a DMZ from additional firewall
interfaces constitute a best practice?  

What are the risks associated with configuring a DMZ directly off an
additional firewall interface?  Or, should a DMZ be configured as an
isolated subnet off the "outside" firewall interface?

Also, is there an advantage to placing various discrete proxy servers
(such as sendmail, http, dns, etc) in a DMZ rather than having a
proxy-based firewall with integrated features?  For example, suppose the
firewall sports a "secure os" with built in split-dns, sendmail and
http, but later it is determined that the sendmail version has a
vulnerability.  Now I might have to wait for the firewall vendor to
issue patch to sendmail on the secure os'd platform.  

What about firewall CPU utilization and performance of integrated
services such as those mentioned - would sendmail, http and dns proxies
integrated on a single platform severly impede performance?  

Finally, what about reliability - a single point of failure for all
these integrated services.

I am trying to determine if its better to place discrete proxies and
services (such as public web servers, sendmail, etc) as needed into a
DMZ rather than relying on the firewall platform.  Also, I am trying to
determine what the best practices for implementation of a DMZ are.

Thanks for your time.

David Perry
SRA International
perry () timpo osd mil