Security Basics mailing list archives
RE: Firewall and DMZ topology
From: "Des Ward" <des.ward () ntlworld com>
Date: Tue, 10 Jun 2003 17:53:48 +0100
The first one does not have to use two separate firewalls, just have an extra NIC to segment the LAN and DMZ. You bottom two examples are as follows: The first one is far too complex and was how I thought a DMZ was supposed to be until I realised that it just wasn't needed. The second means that all traffic has to traverse your LAN to get to the 'Unprotected' DMZ systems and also could leave your internal LAN open to attack. The main thing to remember is that the DMZ is designed to be accessible to the outside world. You do want this segmented from the rest of the LAN in the easiest way possible. Just my .002667 cents worth (After converting from the BRITISH and not ENGLISH pound) -----Original Message----- From: Chris Berry [mailto:compjma () hotmail com] Sent: 10 June 2003 01:53 To: security-basics () securityfocus com Subject: Re: Firewall and DMZ topology
From: Christopher Ingram <cmi () crystalsands net> So, the below setup is not decent for a corporate LAN. Ideally, the DMZ should sit on a seperate connection to the Internet from the rest of the network, using a different ISP and therefore, different IP block. This provides the most isolation.
I'm afraid I don't see how that:
internet --> Firewall --> Lan
internet --> Firewall --> DMZ
would be any more secure than this:
internet --> Outer Firewall --> DMZ --> Inner Firewall --> LAN
or this:
internet --> Firewall --> LAN
--> DMZ
which are the setups that I've seen. Can you give some
justification/explanation on why you think that would be better?
Chris Berry
compjma () hotmail com
Systems Administrator
JM Associates
"All I want is a few minutes alone with the source code for the universe and
a quick recompile."
_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
Current thread:
- Re: Firewall and DMZ topology, (continued)
- Re: Firewall and DMZ topology Erik Vincent (Jun 10)
- VPN vs changing routes Keenan Smith (Jun 10)
- Re: VPN vs changing routes chort (Jun 10)
- RE: VPN vs changing routes David Gillett (Jun 10)
- Re: [security] VPN vs changing routes Martin (Jun 11)
- Re: VPN vs changing routes Joerg Over Dexia (Jun 11)
- Re: Firewall and DMZ topology Daniel B. Cid (Jun 10)
- Re: Firewall and DMZ topology Steve Bremer (Jun 10)
- Re: Firewall and DMZ topology Daniel B. Cid (Jun 10)
- Message not available
- Re: Firewall and DMZ topology Daniel B. Cid (Jun 10)
- RE: Firewall and DMZ topology Des Ward (Jun 10)
- Re: Firewall and DMZ topology Aaron Fisher (Jun 11)
- Re: Firewall and DMZ topology Christopher Ingram (Jun 10)
- RE: Firewall and DMZ topology Steve Bremer (Jun 10)
- RE: Firewall and DMZ topology ed (Jun 10)