You are missing the point. Tha basic idea is that the firewall will only allow conections from the LAN to the DMZ port 25 (keep state), not the reverse and not other connections. So the LAN will be isolated from the DMZ ... If someone crack the DMZ will be unable to see or to interact with the LAN. The attacker will only be able to see the email messages (PGP is for that), nothing more..
[]`s Daniel B. Cid >On Tue, 2003-06-10 at 13:58, Erik Vincent wrote: > Lets put it in ASCII. > > Internet <-> Firewall <-> LAN > <-> DMZ (MAIL server) > > If the MAIL server is in the DMZ. You still will have the same problem. > > If the MAIL server is crack, since your LAN user need access to your > MAIL server in the DMZ, > password will still be sniffed. The only thing good i can see with this > configuration, is the traffic between the LAN > and the internet wont be sniffed (If you have configured a proxy server > in the LAN portion of the network). > > Or I'am missing something... 8-) > > ed wrote: > > >This won't be safe for the following reason. > > > >Say that we go for the two NIC approach. If the mail server is > >compomised (but not the firewall, an attack that makes use of a port > >that will be forwarded to the mail server) then the attacker will be > >able to sniff all the traffic on the internal side of the firewall, he > >will thus be able to get hold of information, passwords etc. etc. from > >the TCP/IP streams of the computers that are supposed to be shielded > >from the internet -and- from the DMZ. > > > >If we use three NICs then this can't happen unless the firewall is > >compromised. Its far less likely that the firewall will compromised if > >properly configured than a machine in the DMZ will be compromised. > > > >On Mon, 2003-06-09 at 23:53, Mann, Bobby wrote: > > > > > >>You can deploy a safe networking environment using a firewall with only two > >>nics. > >> > >>Just use port address translation (PAT) to forward any request on port 25 to > >>your mail server, which is on the internal network. > >> > >>Is this secure? Sure, if you lock down your access-lists correctly, harden > >>your OS, mail server and clients. > >> > >>You should ask yourself why you need a firewall with a DMZ port. It would > >>be nice to seperate public services vs. private but not necessary if money > >>is a big issue and sounds like it is. > >> > >>Btw... If you really insist on having a DMZ and can't buy a firewall, then > >>see if you can put 2 ip addresses on the same Internal NIC. Create two > >>seperate networks on the same LAN (trunking would be better). This way all > >>clients must still pass through your firewall to hit the mail server. > >> > >>Bob. > >> > >>-----Original Message----- > >>From: Des Ward > >>To: 'William J. Burgos' > >>Cc: [EMAIL PROTECTED] > >>Sent: 6/9/03 10:46 AM > >>Subject: RE: Firewall and DMZ topology > >> > >>Basically, you're going to have to get a machine with three NICs. The > >>purpose of a DMZ is to segment machines from your internal network > >>whilst > >>still providing protection for them. > >> > >>Any other solution will just not give you the right balance of security. > >> > >>Sorry > >> > >>-----Original Message----- > >>From: William J. Burgos [mailto:[EMAIL PROTECTED] > >>Sent: 07 June 2003 15:06 > >>To: [EMAIL PROTECTED] > >>Subject: Firewall and DMZ topology > >> > >>Greetings list, > >> > >>I would like to set up a SOHO network with a firewall and DMZ for mostly > >>web serving and email. Of course, there are private PCs on the internal > >>network, Windows and Linux. > >> > >>My connection is a dynamic IP on a pppoe and I already have an old > >>laptop used as a simple firewall setup. > >> > >>I am considering separating my web and email server to a dedicated > >>machine and placing it in a DMZ. > >> > >>In searching on the web, I came up with a few topologies and I would > >>like to ask the list of their opinion. > >> > >>I have sketched out a few scenarios below: > >> > >>1. | Internet |-->| Firewall |-->| DMZ |-->| internal network | > >> > >>This scenario (1) puts the DMZ between the firewall and internal > >>network. I have read that this is insecure as if the DMZ is compromised, > >>so will be the internal network. Is this true? > >> > >>2. | Internet |-->| Firewall |--->| internal network | > >> | |--->| DMZ | > >> > >>This scenario (2) uses three NIC's for the firewall. One for the > >>internal network, one for the DMZ and one for the Internet. I have read > >>that this is a Three-legged firewall setup. The drawback is that I would > >>need three NIC's for the firewall which is now a laptop with only two. > >> > >>3. | Internet |-->| DMZ with Firewall |-->| internal network | > >> > >>This scenario (3) places the DMZ with the firewall on one box and then > >>to the internal network. My concern is if I can secure the DMZ from the > >>firewall on one box. Is there a way to secure this setup? > >> > >>4. | Internet |-->| DMZ |-->| Firewall |-->| internal network | > >> > >>This scenario (4) places the DMZ before the Firewall which leaves it > >>open to the Internet. Is there a way to secure this setup? > >> > >>I am trying to avoid having to get another box with three NIC's for > >>Scenario 2, if possible. However, I would feel safer in a less easy to > >>break in setup. > >> > >>Any comments or suggestions would be appreciated. > >> > >>Thanks in advance. > >> > >>William Burgos > >> > >> > >>------------------------------------------------------------------------ > >>--- > >>Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top > >>analysts! > >>The Gartner Group just put Neoteris in the top of its Magic Quadrant, > >>while InStat has confirmed Neoteris as the leader in marketshare. > >> > >>Find out why, and see how you can get plug-n-play secure remote access > >>in > >>about an hour, with no client, server changes, or ongoing maintenance. > >> > >>Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > >>------------------------------------------------------------------------ > >>---- > >> > >> > >>------------------------------------------------------------------------ > >>--- > >>Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top > >>analysts! > >>The Gartner Group just put Neoteris in the top of its Magic Quadrant, > >>while InStat has confirmed Neoteris as the leader in marketshare. > >> > >>Find out why, and see how you can get plug-n-play secure remote access > >>in > >>about an hour, with no client, server changes, or ongoing maintenance. > >> > >>Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > >>------------------------------------------------------------------------ > >>---- > >> > >>--------------------------------------------------------------------------- > >>Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! > >>The Gartner Group just put Neoteris in the top of its Magic Quadrant, > >>while InStat has confirmed Neoteris as the leader in marketshare. > >> > >>Find out why, and see how you can get plug-n-play secure remote access in > >>about an hour, with no client, server changes, or ongoing maintenance. > >> > >>Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > >>---------------------------------------------------------------------------- > >> > >> > > > > --------------------------------------------------------------------------- > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! > The Gartner Group just put Neoteris in the top of its Magic Quadrant, > while InStat has confirmed Neoteris as the leader in marketshare. > > Find out why, and see how you can get plug-n-play secure remote access in > about an hour, with no client, server changes, or ongoing maintenance. > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
