Firewall Wizards mailing list archives
RE: DMZ or not ?
From: "Mike Coppage" <coppagm () nationwide com>
Date: Wed, 13 Oct 1999 09:50:35 -0400
I'm not an expert, but here's my simple look at how this risk stacks up. If you put your DMZ off a NIC on the firewall, then you have to really worry about your internal connections back into your network. If you have none, then the risk is really no different than if you used the more traditional DMZ. However, making this assumption is not realistic in today's business environment, so you will have connections back into the internal network in some form or other. This means that somehow you must protect these connections and the machines behind them. If you don't then your risk would essentially be the same as if you removed your firewall from the equation and just relied on the head-end router for protection. In a traditional DMZ you would have the firewall to offer some protection to your internal application/DBMS servers while your servers in the DMZ act as sacrifices. Somebody please flame me if I'm wrong about this. -----Original Message----- From: owner-firewall-wizards () lists nfr net [mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Moore, James Sent: Friday, October 08, 1999 6:53 PM To: Thomas Crowe; fgb () domain com br; firewall-wizards () nfr net Subject: RE: DMZ or not ? Could someone expand on this advice, and list/explain the additional risks assumed by operating between the router and firewall (as opposed to operating off a third firewall interface)? James Moore
-----Original Message----- From: Thomas Crowe [SMTP:thomas.crowe () bellsouth net] Sent: Friday, October 08, 1999 7:29 AM To: fgb () domain com br; firewall-wizards () nfr net Subject: RE: DMZ or not ? That depends a lot on what definition of a DMZ your using! If you mean the classical definition of a DMZ i.e. in between the router and the firewall *unprotected* except by router acl's, then my advice would be, don't do it, not under any circumstances! (ok maybe one or two circumstances). If your referring to the somewhat more contemporary definition of a DMZ i.e. another interface off your firewall, where as all traffic must still traverse the firewall, then I would say go for it, that way *when* your public machines get hacked your internal network is still protected, this is good; very good :-). NAT is a good thing but it is security through obscurity which isn't very secure in and of itself. Just my $0.02 Thomas Crowe Production Network Systems Administrator BellSouth Online 678-441-7454-----Original Message----- From: owner-firewall-wizards () lists nfr net [mailto:owner-firewall-wizards () lists nfr net]On Behalf Of fgb () domain com br Sent: Wednesday, October 06, 1999 9:57 AM To: firewall-wizards () nfr net Subject: DMZ or not ? Hello wizards, Divergences are occurring here im my officce about the use of a DMZ, and I hope the wizards will give me some explanations and/or secure informations about the better implementation. Currently, we're using Linux as a Firewall Box, with a port forwarding to our mail server, that is behind the firewall. We are in way now, to install a public web server and a DNS server. What are de advantages and disadvantages of placing this servers behind the firewall and perform NAT or Port forwarding, instead of using a DMZ ? Which of the options shoud I implement here in my officce, to have a secure site ? Thanks and regards, Fábio Baptista fgb () domain com br
Current thread:
- DMZ or not ? fgb (Oct 06)
- RE: DMZ or not ? Thomas Crowe (Oct 08)
- Re: DMZ or not ? Frederick M Avolio (Oct 12)
- <Possible follow-ups>
- RE: DMZ or not ? Ben Nagy (Oct 12)
- RE: DMZ or not ? Moore, James (Oct 12)
- RE: DMZ or not ? Thomas Crowe (Oct 12)
- RE: DMZ or not ? Mike Coppage (Oct 13)
- RE: DMZ or not ? Thomas Crowe (Oct 16)
- Re: DMZ or not ? Mikael Olsson (Oct 16)
- Re: DMZ or not ? Cristiano Lincoln Mattos (Oct 12)
- RE: DMZ or not ? Harris Raymond D JR CIV AFAA/MSI (Oct 12)
- RE: DMZ or not ? sean . kelly (Oct 12)