Thanks! All the comments have definitely helped! Now I have a much better Idea of how to set this up.
Thanks again, John > I would agree with the principle stated by both Laura and KK. It is > actually a complex issue with DMZ placement, but what works for one > company doesn't necessarily work for another, especially considering most > organizations cannot afford two firewall appliances (or even if they > could might just believe one offers adequate assurance). > > John S., given the original question, I would highly recommend at least > perusing the O'Reilly "Building Internet Firewalls" book[1] for your > own edification. This book will give you a great overview of the > different firewall architectures, their principles, and the comparitive > advantages/disadvantages. > > In regards to your original post, I have three suggestions. > > > >I have a few questions regarding setting up a DMZ. Currently our > > >public servers are behind our LAN port on our Firewall, with only the > > >ports we need opened. I would like to move these server to the DMZ > > >port of our SonicWall DMZ firewall. My question is...once I put > > >something in the DMZ, do I need to give it a different IP address, > > >meaning do I need to change it from an internal LAN IP to a external > > >WAN IP? Currently, my NAT router handle's that. And if I do give it a > > >WAN IP, does that mean I take it out of my NAT table? I plan on using > > >our HP Switch to create 2 VLAN's, one for our LAN and one for the DMZ > > >Zone (currently our switch is not VLANed and it's used for our internal > > >LAN). Would this work, is this a good idea? Can you give me any basic > > >setup ideas/suggestions? > > > > > >Thanks! > > > > > >John > > > Whether you change your bastion host (public server) to RFC1918 addressing > or not and whether you remove it from the NAT table depends on one > question I would ask you. You haven't explained any details about the NAT > router. My question to you is does it support packet filtering? > > Basically I can see two different approaches: > > 1. Screened subnet architecture > If your NAT router does support packet filtering, you could leave it where > it is, and add a ACL/Packet filter that only allows access to the > bastion > host for ports that external users need to come in on. In this case, you > could leave the bastion host with an RFC1918 (internal LAN) address, still > allowing the router to do NAT. Then you could have the sonic firewall > protect the inside network. This would have the effect of leveraging your > existing hardware to have the sonicwall dedicated to protecting the > internal network, and your NAT router protecting the bastion hosts by > allowing ONLY packets in on services absolutely necessary. > > 2. Merged Routers and Bastion Host Using General Purpose Hardware (page > 704, O'Reilly) > I believe this would be the collapsed DMZ others are referrring to. > With this configuration, remove the NAT table entry for the bastion host, > and either: > A. re-IP to a public address allocated by your provider, having the > SonicWall do all packet filtering. > OR > B. Retain the RFC1918 address, and have the SonicWall do NAT (instead of > the NAT router), implementing all of the packet filtering that needs to be done. > > Keep in mind that I am not familiar in any way with the Sonicwall product, > and make the assumption that it supports NAT. > > With this configuration, the SonicWall is the workhorse here, protecting > both internal and DMZ networks. The SonicWall has three interfaces: one > connected to the NAT router, one to the DMZ, and one to the internal > network. If you did go with this configuration, I would also suggest > bypassing the switch on the DMZ network by connecting the SonicWall DMZ > port straight to the Bastion host via a crossover cable. With this > approach, you eliminate any attacks on spoofing MAC addresses, > manipulating ARP tables, VLAN misconfigurations, etc., on the switch. > > 3. Last, don't ever feel safe just because you have the firewall and think > you have the "right" configuration. Host security (on the bastion host, > in your case) is just as important as a properly designed firewall > architecture, if not more so. > > > Hope this helps, and good luck. > -Jason > > [1] Building Internet Firewalls, Second Edition. Zwicky, Elizabeth, et > al. O'Reilly and Associates, 2000: Sebastopol, CA. > > > > On Thu, 4 Apr 2002, kk downing wrote: > > > With the rise of firewall applicances and and > > multi-nic cards many organizations run a collaped > > DMZ. Obviously the two firewall architecture is a good > > idea but how many organizations actually pick two > > different firewall vendors and apply this approach? > > > > > > --- "Laura A. Robinson" <[EMAIL PROTECTED]> > > wrote: > > > I wouldn't oversimplify like that. Collapsed > > > structure versus two firewalls > > > is a very debatable topic. Why? Because if I hack > > > your external firewall > > > (the firewall itself, not a machine behind it) and > > > your *separate* internal > > > firewall is a *different* firewall, all I've done so > > > far is compromise your > > > DMZ. If you have a single firewall and there's an > > > exploit out there for it > > > that you've not yet patched against or a hack you > > > don't know about, when I > > > compromise your firewall I've now potentially > > > compromised your entire > > > network. > > > > > > With that said, as I steadfastly maintain, a > > > firewall is merely a speed bump > > > against a skilled, dedicated intruder. > > > > > > Laura > > > ----- Original Message ----- > > > From: "Clifford Thurber" > > > <[EMAIL PROTECTED]> > > > To: "Laura A. Robinson" <[EMAIL PROTECTED]>; > > > "Bill Royds" > > > <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; > > > <[EMAIL PROTECTED]> > > > Sent: Thursday, April 04, 2002 4:29 PM > > > Subject: Re: Basic DMZ Setup Questions... > > > > > > > > > > This was traditionaly the architecture before the > > > DMZ became collapsed. > > > > > > > > At 12:13 PM 4/4/2002 -0500, Laura A. Robinson > > > wrote: > > > > >A "true" DMZ may have a firewall between the > > > Internet and the DMZ, as > > > well > > > > >as between the DMZ and the intranet. > > > > > > > > > >Laura > > > > >----- Original Message ----- > > > > >From: "Bill Royds" <[EMAIL PROTECTED]> > > > > >To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > > > >Sent: Wednesday, April 03, 2002 8:11 PM > > > > >Subject: RE: Basic DMZ Setup Questions... > > > > > > > > > > > > > > >A true MZ is the net between the firewall and the > > > Internet, not behind a > > > > >firewall. If this is the case, then you have the > > > choice of a public > > > address > > > > >or a simple 1-1 NAT (IP redirect) set up on your > > > NAT enabled router. If > > > your > > > > >router can handle Port Address Translation, where > > > it sends the traffic > > > from > > > > >a single Internet address to separate servers > > > depending on destination > > > port, > > > > >you can save Internet IP space by using private > > > addresses. But your > > > servers > > > > >are not being protected by your firewall. > > > > > > > > > >If it is the more common server segment on a > > > third NIC of the firewall, > > > then > > > > >it can use private address space, either IP > > > redirect, PAT or full dynamic > > > > >NAT. But it still would be a good idea to set up > > > this server segment with > > > a > > > > >separate subnet address to ease routing and rule > > > making on the firewall. > > > > > > > > > >-----Original Message----- > > > > >From: [EMAIL PROTECTED] > > > > >[mailto:[EMAIL PROTECTED]]On Behalf > > > Of John S. Strock > > > > >Sent: Wed April 03 2002 18:26 > > > > >To: [EMAIL PROTECTED] > > > > >Subject: Basic DMZ Setup Questions... > > > > > > > > > > > > > > >I have a few questions regarding setting up a > > > DMZ. Currently our > > > > >public servers are behind our LAN port on our > > > Firewall, with only the > > > > >ports we need opened. I would like to move these > > > server to the DMZ > > > > >port of our SonicWall DMZ firewall. My question > > > is...once I put > > > > >something in the DMZ, do I need to give it a > > > different IP address, > > > > >meaning do I need to change it from an internal > > > LAN IP to a external > > > > >WAN IP? Currently, my NAT router handle's that. > > > And if I do give it a > > > > >WAN IP, does that mean I take it out of my NAT > > > table? I plan on using > > > > >our HP Switch to create 2 VLAN's, one for our LAN > > > and one for the DMZ > > > > >Zone (currently our switch is not VLANed and it's > > > used for our internal > > > > >LAN). Would this work, is this a good idea? Can > > > you give me any basic > > > > >setup ideas/suggestions? > > > > > > > > > >Thanks! > > > > > > > > > >John > > > > >_______________________________________________ > > > > >Firewalls mailing list > > > > >[EMAIL PROTECTED] > > > > >http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > > > > >_______________________________________________ > > > > >Firewalls mailing list > > > > >[EMAIL PROTECTED] > > > > >http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > > > > >_______________________________________________ > > > > >Firewalls mailing list > > > > >[EMAIL PROTECTED] > > > > >http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > > > > > _______________________________________________ > > > Firewalls mailing list > > > [EMAIL PROTECTED] > > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > __________________________________________________ > > Do You Yahoo!? > > Yahoo! Tax Center - online filing with TurboTax > > http://taxes.yahoo.com/ > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > > -- _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
