Firewall Wizards mailing list archives

Re: DMZ best practices

From: Jeromie Jackson <jeromie () garrison com>
Date: Mon, 18 Jan 1999 23:08:17 -0800

At 04:03 PM 1/16/99 -0800, John Kozubik wrote:

Now, it is possible to put three NICs in your firewall, and then set up 
a filtering policy between the outside world and machines off of NIC #1, 
and set up a less stringent (or complete passthrough) filtering policy 
between the outside world and machines off of NIC #2.
This is not exactly a DMZ, but a lot of vendors call it that.  This is, 
at best, a psuedo DMZ, because the machines are still behind the 
firewall.


I can think of 2 reasons why you would want to hang machines off a
third-interface of a firewall, as opposed to off a hub in from of the
firewall;

1.      Central Audit- If everything has to go across your firewall, there is a
centralized audit log.  This can be useful in watching what a potential
hacker did, for TCP/IP info, etc,etc..

2.  Centralized Access Control-  If you put your DMZ hosts outside the
firewall, you will need to implement ACLs on the routers, or properly
configure all the hosts in order to minimize the number of services you can
be attacked on.  If you place the machines off the third interface of the
firewall, you will have a GUI driven, centralized access control mechanism.
 Generally firewalls are easier to configure than router ACLs.

Now, what kind of machines would you put in the DMZ?  Not many, in my 
opinion.  Mail, news, www, etc. should _always_ be behind a firewall 
with a security policy in place.


Your  web server certainly should NOT be behind your firewall.  This would
completely compromise the function of the firewall.

I would also put a hub between the router and the firewall - even if you 
don't connect a data collection machine there.  This way, if there is 
ever an emergency and you need to throw something outside the firewall 
(during an attack, for instance) you can do so without unplugging the 
network briefly.  Also, you can put in a second or third collection 
machine without disrupting network traffic.


Agreed..



Jeromie Jackson -CISSP
Garrison Technologies
760-633-1843
jeromie () garrison com
Web: http://www.garrison.com

Current thread:

DMZ best practices Perry, David (Jan 15)
- Re: DMZ best practices Bennett Todd (Jan 19)
- <Possible follow-ups>
- Re: DMZ best practices John Kozubik (Jan 18)
  - Re: DMZ best practices Jeromie Jackson (Jan 19)
    - Re: DMZ best practices Amos Hayes (Jan 20)
  - Re: DMZ best practices Dominique Brezinski (Jan 19)
- Re: DMZ best practices Bill_Royds (Jan 19)
  - RE: DMZ best practices Andreas Haug (Jan 20)
- Re: DMZ best practices John Kozubik (Jan 20)
- Re: DMZ best practices Security (Jan 20)
  - Re: DMZ best practices Dominique Brezinski (Jan 21)
- RE: DMZ best practices Bill_Royds (Jan 21)
  - RE: DMZ best practices Andreas Haug (Jan 26)
- Re: RE: DMZ best practices Robert MACDONALD (Jan 21)

(Thread continues...)