It's just a terminology issue.
A few years back, it was common to place world accessible servers between
the screening router (typically the router with the upstream ISP connection)
and the firewall. This was mostly due to a lack of non-proxy firewalls.
With a true proxy or Application Layer Gateway (ALG) firewall, its difficult
to allow inbound services. (this was before the days of NAT/PAT and
stateful inspection)
More recent designs use 3-legged firewalls and place world accessible
servers on the 3rd interface or "protected DMZ" interface of the firewall.
This allows for firewall filtering of traffic to the P-DMZ and also for
filtering of traffic from the P-DMZ to the internal network. This helps
prevent compromise of the server to begin with, and in the event of a
compromise of the server it prevents the server from attacking the internal
network. (hopefully)
Since this is how most designs are done, the terminology "protected DMZ" has
fallen out of use and most people simply use the term DMZ when they mean
"protected DMZ". I don't see many designs that call for placing servers on
a truly unprotected segment outside a firewall.
HTH,
Kent
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Farhan Ahmed
Sent: Tuesday, August 28, 2001 10:38 PM
To: [EMAIL PROTECTED]
Subject: inside, outside and dmz [7:17627]
comments below,
isnt it better to keep mailservers and other servers inside and allowing
only the ports that are required from outside , instead of putting them into
dmz and allow more ports ,in the case of microsoft exchange servers web
servers with database connection etc...
what is the real benefit?
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17945&t=17627
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
