Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: DMZ or not ?

From: "Thomas Crowe" <thomas.crowe () bellsouth net>
Date: Thu, 14 Oct 1999 08:44:07 -0400

I'm not an expert, but here's my simple look at how this risk
stacks up.  If
you put your DMZ off a NIC on the firewall, then you have to really worry
about your internal connections back into your network.


WHY? putting your DMZ off a 3rd nic of the firewall forces ALL traffic to or
from the machines on that DMZ through the firewall, and thus the rule set.
So really the DMZ only has the access to the internal LAN that you define in
the rule set.



If you have none,
then the risk is really no different than if you used the more traditional
DMZ.


The risk is very different.


However, making this assumption is not realistic in
today's business
environment, so you will have connections back into the internal
network in
some form or other.  This means that somehow you must protect these
connections and the machines behind them.  If you don't then your
risk would
essentially be the same as if you removed your firewall from the equation
and just relied on the head-end router for protection.  In a
traditional DMZ
you would have the firewall to offer some protection to your internal
application/DBMS servers while your servers in the DMZ act as sacrifices.

Somebody please flame me if I'm wrong about this.


-----Original Message-----
From: owner-firewall-wizards () lists nfr net
[mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Moore, James
Sent: Friday, October 08, 1999 6:53 PM
To: Thomas Crowe; fgb () domain com br; firewall-wizards () nfr net
Subject: RE: DMZ or not ?


Could someone expand on this advice, and list/explain the additional risks
assumed by operating between the router and firewall (as opposed to
operating off a third firewall interface)?

James Moore


-----Original Message-----
From:       Thomas Crowe [SMTP:thomas.crowe () bellsouth net]
Sent:       Friday, October 08, 1999 7:29 AM
To: fgb () domain com br; firewall-wizards () nfr net
Subject:    RE: DMZ or not  ?

That depends a lot on what definition of a DMZ your using!  If you mean
the
classical definition of a DMZ i.e. in between the router and

the firewall

*unprotected* except by router acl's, then my advice would be, don't do
it,
not under any circumstances! (ok maybe one or two

circumstances).  If your

referring to the somewhat more contemporary definition of a DMZ i.e.
another
interface off your firewall, where as all traffic must still

traverse the

firewall, then I would say go for it, that way *when* your

public machines

get hacked your internal network is still protected, this is good; very
good
:-).  NAT is a good thing but it is security through obscurity

which isn't

very secure in and of itself.  Just my $0.02

Thomas Crowe
Production Network Systems Administrator
BellSouth Online
678-441-7454


-----Original Message-----
From: owner-firewall-wizards () lists nfr net
[mailto:owner-firewall-wizards () lists nfr net]On Behalf Of
fgb () domain com br
Sent: Wednesday, October 06, 1999 9:57 AM
To: firewall-wizards () nfr net
Subject: DMZ or not ?


Hello wizards,

Divergences are occurring here im my officce about the use of a
DMZ, and I hope the wizards will give me some explanations and/or
secure informations about the better
implementation.

Currently, we're using Linux as a Firewall Box, with a port
forwarding to our mail server, that is behind the firewall.

We are in way now, to install a public web server and a DNS
server. What are de advantages and disadvantages of placing this
servers behind the firewall and perform
NAT or Port forwarding, instead of  using a DMZ ?

Which of the options shoud I implement here in my officce, to
have a secure site ?

Thanks and regards,

Fábio Baptista
fgb () domain com br
Previous By Date Next
Previous By Thread Next

Current thread: