Interestingly, the NIST firewalls document recommends NOT to use the collapsed DMZ design for this and another compelling reason. If an attacker attempts a denial of service attack on your hosts in server segment (DMZ), they will also kill your connect from internal system to firewall and DMZ hosts, making it even harder to defend against co-ordinated DoS and intrusion attacks. The idea of having the DMZ behind a screening router/stateful inspection firewall but ahead of a proxy firewall connecting to internal network is more secure in that a fast router/firewall can handle DoS attempts much better than a proxy, but the proxy is also protected from the DoS.
-----Original Message----- From: Laura A. Robinson [mailto:[EMAIL PROTECTED]] Sent: Thu April 04 2002 16:52 To: Clifford Thurber; Bill Royds; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Basic DMZ Setup Questions... I wouldn't oversimplify like that. Collapsed structure versus two firewalls is a very debatable topic. Why? Because if I hack your external firewall (the firewall itself, not a machine behind it) and your *separate* internal firewall is a *different* firewall, all I've done so far is compromise your DMZ. If you have a single firewall and there's an exploit out there for it that you've not yet patched against or a hack you don't know about, when I compromise your firewall I've now potentially compromised your entire network. With that said, as I steadfastly maintain, a firewall is merely a speed bump against a skilled, dedicated intruder. Laura ----- Original Message ----- From: "Clifford Thurber" <[EMAIL PROTECTED]> To: "Laura A. Robinson" <[EMAIL PROTECTED]>; "Bill Royds" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, April 04, 2002 4:29 PM Subject: Re: Basic DMZ Setup Questions... > This was traditionaly the architecture before the DMZ became collapsed. > > At 12:13 PM 4/4/2002 -0500, Laura A. Robinson wrote: > >A "true" DMZ may have a firewall between the Internet and the DMZ, as well > >as between the DMZ and the intranet. > > > >Laura > >----- Original Message ----- > >From: "Bill Royds" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > >Sent: Wednesday, April 03, 2002 8:11 PM > >Subject: RE: Basic DMZ Setup Questions... > > > > > >A true MZ is the net between the firewall and the Internet, not behind a > >firewall. If this is the case, then you have the choice of a public address > >or a simple 1-1 NAT (IP redirect) set up on your NAT enabled router. If your > >router can handle Port Address Translation, where it sends the traffic from > >a single Internet address to separate servers depending on destination port, > >you can save Internet IP space by using private addresses. But your servers > >are not being protected by your firewall. > > > >If it is the more common server segment on a third NIC of the firewall, then > >it can use private address space, either IP redirect, PAT or full dynamic > >NAT. But it still would be a good idea to set up this server segment with a > >separate subnet address to ease routing and rule making on the firewall. > > > >-----Original Message----- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED]]On Behalf Of John S. Strock > >Sent: Wed April 03 2002 18:26 > >To: [EMAIL PROTECTED] > >Subject: Basic DMZ Setup Questions... > > > > > >I have a few questions regarding setting up a DMZ. Currently our > >public servers are behind our LAN port on our Firewall, with only the > >ports we need opened. I would like to move these server to the DMZ > >port of our SonicWall DMZ firewall. My question is...once I put > >something in the DMZ, do I need to give it a different IP address, > >meaning do I need to change it from an internal LAN IP to a external > >WAN IP? Currently, my NAT router handle's that. And if I do give it a > >WAN IP, does that mean I take it out of my NAT table? I plan on using > >our HP Switch to create 2 VLAN's, one for our LAN and one for the DMZ > >Zone (currently our switch is not VLANed and it's used for our internal > >LAN). Would this work, is this a good idea? Can you give me any basic > >setup ideas/suggestions? > > > >Thanks! > > > >John > >_______________________________________________ > >Firewalls mailing list > >[EMAIL PROTECTED] > >http://lists.gnac.net/mailman/listinfo/firewalls > > > >_______________________________________________ > >Firewalls mailing list > >[EMAIL PROTECTED] > >http://lists.gnac.net/mailman/listinfo/firewalls > > > >_______________________________________________ > >Firewalls mailing list > >[EMAIL PROTECTED] > >http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
