Re: Basic Network Configuration

["Neal K. Groothuis" <ngroot-securityfocus () lo-cal org>]

On Tue, Oct 14, 2003 at 12:40:12PM -0400, Smith, KC wrote:
> My new company uses 3 separate NICs in
> the same firewall.  One for inbound, one for the LAN and one for the DMZ.
> Each has it's own address block.  
>
> It seems like using the firewall to do this makes sense, but 
> I'd appreciate some external confirmation on that.  

Yes, it does make sense, although what you have now is not a proper
DMZ, but a screened subnet.  This is typically considered a slightly
less secure configuration than a true DMZ (two firewalls,) but IME
is a perfectly acceptable way to do things.  To my knowledge, the only
big thing that a DMZ buys you over a screened subnet is that to access the
LAN from the outside, an intruder would have to compromise both the 
inner and the outer firewall.  As long as you keep the firewall
box locked down tight (e.g., up to date on security patches, no
extraneous services, connections only accepted from trusted hosts,)
this will do fine, and will simplify some things, like log reviews.

> The second issue is this: is there a rule of thumb to determine what 
> should and should not go in the DMZ vs. the LAN?  It seems
> to me that anything that requires access from outside the network (Ex. DNS
> servers, Mail servers, demo servers, etc.) should go in the DMZ.  True?

True.

-- 
A faith; this is a necessity for man. Woe to him who believes nothing.
                                                --Victor Hugo
                                                  Les Miserables
PGP key available upon request or at http://www.imsa.edu/~ngroot/

Attachment: _bin
Description: