RE: Firewall and DMZ topology

["Des Ward" <des.ward () ntlworld com>]

Basically, you're going to have to get a machine with three NICs.  The
purpose of a DMZ is to segment machines from your internal network whilst
still providing protection for them.

Any other solution will just not give you the right balance of security.

Sorry

-----Original Message-----
From: William J. Burgos [mailto:wjburgos () white-bear-productions com] 
Sent: 07 June 2003 15:06
To: security-basics () securityfocus com
Subject: Firewall and DMZ topology

Greetings list,

I would like to set up a SOHO network with a firewall and DMZ for mostly
web serving and email. Of course, there are private PCs on the internal
network, Windows and Linux.

My connection is a dynamic IP on a pppoe and I already have an old
laptop used as a simple firewall setup. 

I am considering separating my web and email server to a dedicated
machine and placing it in a DMZ.

In searching on the web, I came up with a few topologies and I would
like to ask the list of their opinion.

I have sketched out a few scenarios below:

1. | Internet |-->| Firewall |-->| DMZ |-->| internal network |

This scenario (1) puts the DMZ between the firewall and internal
network. I have read that this is insecure as if the DMZ is compromised,
so will be the internal network. Is this true?

2. | Internet |-->| Firewall |--->| internal network |
                  |          |--->| DMZ |

This scenario (2) uses three NIC's for the firewall. One for the
internal network, one for the DMZ and one for the Internet. I have read
that this is a Three-legged firewall setup. The drawback is that I would
need three NIC's for the firewall which is now a laptop with only two.

3. | Internet |-->| DMZ with Firewall |-->| internal network |

This scenario (3) places the DMZ with the firewall on one box and then
to the internal network. My concern is if I can secure the DMZ from the
firewall on one box. Is there a way to secure this setup?

4. | Internet |-->| DMZ |-->| Firewall |-->| internal network |

This scenario (4) places the DMZ before the Firewall which leaves it
open to the Internet. Is there a way to secure this setup? 

I am trying to avoid having to get another box with three NIC's for
Scenario 2, if possible. However, I would feel safer in a less easy to
break in setup.

Any comments or suggestions would be appreciated.

Thanks in advance.

William Burgos


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------