RE: DMZ design

[Dave Killion <Dkillion () netscreen com>]

Mr. Null,

The answer is "Depends" - depends on how much money you want to spend on
firewalls.

For option 1, don't use a router, use a routing firewall.
For option 2, you'll need 2 firewalls one from Internet<->DMZ and one from
DMZ<->Private.

Option 2 was called "Belt and Suspenders" in the day, when firewalls were
slow as heck and were the ChokePoints in your network.  With option 2,
your 'belt' firewall (between Internet<->DMZ) takes all the pain of an
external attack, leaving your private network still free to access the
DMZ.

Option 1 gives you a single point of failure, unless you build in
redundancy into that point.  Designing a network option 1 style, and
having *every* subnet (Accounting, Marketing, Sales, Engineering, etc) off
of the firewall takes the firewall from the border and puts it into the
core, enhancing security, but at a cost of potentially bringing down your
entire network if that firewall should fail.

Today's modern firewalls support multiple zones from a single unit and
have higher session tables to handle more traffic.  They're also a lot
faster, especially if you go for an ASIC-based one.  Most have built-in
redundancy systems that allow you to put two firewalls in-line in
parallel, so if one fails you're still okay.

Different people have different ideas on how to make networks more
effective or more secure, and in the long run, there's no one right
answer.  Depending on the product selection, overall intent, and money you
have to spend, either design is valid.

Good luck with your design.

I hope this information is helpful,

Dave Killion
Senior Security Engineer
Security Group, NetScreen Technologies, Inc.



-----Original Message-----
From: me null [mailto:me_null () hotmail com]
Sent: Tuesday, August 26, 2003 10:29 PM
To: security-basics () securityfocus com
Subject: DMZ design


Hello i was hoping someone could answer a couple questions i had bout DMZ
design. Speeking from a serurity stand point is it best to have ur DMZ and
Internal Network seperated by a router (option 1) or is it better to have
ur
Internal Net. connect to the internet through the DMZ (option2) all help
is
appracated thx

option 1     internet
                     |
       DMZ --- router ---- Network

option 2  internet -- DMZ --- Network

_________________________________________________________________
Get MSN 8 and enjoy automatic e-mail virus protection.
http://join.msn.com/?page=features/virus


--------------------------------------------------------------------------
-
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event.  Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
--------------------------------------------------------------------------
--

Attachment: smime.p7s
Description: