Stewart, Chris B wrote:
>
> I am in desperate need of some help. I am considering implementing a DMZ in
> my network and am interested in knowing how to set up an DMZ. What I would
> like to do is put my Web server and mail server behind the DMZ on a
> completely different subnet. What I don't understand is how is the routing
> functionality accomplished?
Depends. There are lots of ways to do a DMZ; the generic answer is "the
same way it works everywhere else," all the rules of TCP/IP apply.
Specifics, regrettably, depend on the needs of the site. Don't start
designing anything until you know for sure what you need to accomplish.
> Do I have to have a dedicated router for this?
Technically you can do it all on the same wire with virtual subnets, but
I can tell you from experience that this is (a) difficult and (b) a good
deal less secure than using a physically separated net.
> If we do, how do we have sessions from LAN to DMZ but not other way?
Firewalling rules on the router between the DMZ and the LAN. A more
specific answer will depend on the tools you choose. Meanwhile, brush
up on your TCP/IP basics.
> Is this
> done by the router or the firewall.
Careful with those terms, Eugene. ;)
"Firewall" can mean many things, one of which is "a smart router." A
lot of people would say that anybody who deploys a router these days
without firewalling rules of some sort is asking for trouble.
> Also, is the DMZ most commonly a
> separate appliance or is it an extra NIC in my firewall configured with a
> different IP address.
Could be either, but remember that if somebody compromises your border
router, and that border router is also the LAN router, you have a bigger
problem than you would if somebody just compromised the border router.
That said, they're more likely to go after other targets if you do your
job right, so once again, depends on you.
Depending on what sort of machinery you plan to use for this, there are
lots of sources for more specific information. Do you have some
background in UNIX, Cisco, (*shiver*)Windows, $OTHER?
Anyhow the schematics I've seen for DMZ nets have usually looked like
one of these:
[internet]------[router]-------[LAN]
|
|
[DMZ]
or
[internet]--[router]--[DMZ]--[router]--[LAN]
In both diagrams you can drop in any of a number of actual devices for
the "router" nodes: a Cisco (probably one of their PIX products, at
least for the outer node), a PC running OpenBSD, a Solaris beast,
$SOMETHING_ELSE...
HTH,
-m
--
~~~Michael Jinks, IB // Technical Entity // Saecos Corporation~~~~
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
