Hello Tiago,
> I like to place one dmz in my net but my boss like an arguments for > this... > I find in the net why dmz is better than a simple firewall? > but not found nothing concrete to display to my boss building a DMZ because you want to have one is a loss of money and other ressources. A DMZ makes sense in the following scenarios: - You offer some service (web, dns, email, ftp, etc) to the outside world In this case a DMZ is essential because you have to allow access to the servers. If these servers are in your internal net and have some security flaws an attacker is immediately on your internal fileserver, databaseserver, etc and can do a lot of damage. If you have a DMZ with proper configured firewalls the damage is restricted to the failing server or, in a worser case to all machines in the dmz. An article about the benefits of a proper configured DMZ infrastructure can be found here: http://www.linuxsecurity.com/feature_stories/ftp-analysis-part1.html - You need a separated area to do intrusion detection In this case you build an area between two firewalls to monitor traffic in a relavitely sane environment. You may want to place devices here that can cancel malicious connections before they can reach your servers. - You don't trust one firewall-reseller If you don't trust one firewall-reseller (firewall-technique, etc) you can build a "DMZ" while putting two different firewalls in a seriell line. If one device fails, the other might stand the attack. Therefore it is important in any form of DMZ to use two different firewalls on two different Operating Systems. - You won't allow direct connections from your internal LAN to the internet Here you can place proxy machines in the DMZ that does application level firewalling to avoid the incubation of your internal LAN by Viruses, Trojans, etc. Of course, any combination of the above scenarios is possible. hth Volker