Firewall Wizards mailing list archives

RE: DMZ or not ?

From: sean.kelly () lanston com
Date: Thu, 7 Oct 1999 14:32:59 -0400

Currently, we're using Linux as a Firewall Box, with a port 
forwarding to our mail server, that is behind the firewall.

We are in way now, to install a public web server and a DNS 
server. What are de advantages and disadvantages of placing 
this servers behind the firewall and perform 
NAT or Port forwarding, instead of  using a DMZ ?


If you have a firewall with a couple ports, a good solution would be to put
the web server in its own loop, protected by the firewall, and your LAN in
another loop.  This way, you can restrict access to the web server to, say,
port 80, but if it's compromised the hacker doesn't gain access to your LAN.

With a simpler fireall (one port to the internet, one port to your LAN), I'd
advise putting the webserver in the DMZ.  Keep backups and if it's
compromised you just reload from tape.

As for your DNS server.... it depends on whether that server will be
handling DNS stuff for machines on your LAN or just public machines.  You
might want a DNS server inside the firewall for internal machines and a
second one outside for public IPs.

Sean

Current thread:

RE: DMZ or not ?, (continued)
- RE: DMZ or not ? Thomas Crowe (Oct 08)
- Re: DMZ or not ? Frederick M Avolio (Oct 12)
- RE: DMZ or not ? Ben Nagy (Oct 12)
- RE: DMZ or not ? Moore, James (Oct 12)
  - RE: DMZ or not ? Thomas Crowe (Oct 12)
  - RE: DMZ or not ? Mike Coppage (Oct 13)
    - RE: DMZ or not ? Thomas Crowe (Oct 16)
  - Re: DMZ or not ? Mikael Olsson (Oct 16)
- Re: DMZ or not ? Cristiano Lincoln Mattos (Oct 12)
- RE: DMZ or not ? Harris Raymond D JR CIV AFAA/MSI (Oct 12)
- RE: DMZ or not ? sean . kelly (Oct 12)