We have a similiar situation. We bring all of our outside customers into a
single router that routes traffic into a dmz with private addresses (serial
interface on router has public IP, routes to ethernet private ip connected
to DMZ). The DMZ has a lower security then the DMZ we provide services in.
This allows us to implicitly deny or allow anything from the lower security
DMZ our customers come in through to the DMZ we provide services in as well
as control our customers who come in through the internet to the services
DMZ. We have a seperate DMZ for our public www/ftp/mail servers with a
higher security then the incoming client dmz and a lower security then our
then our service DMZ. This allows the servers in the service DMZ to
communicate freely with servers in the publlic DMZ but not vice versa. It
also allows us to nat public servers to both the clients who come into the
client dmz and the outside. The problem with bringing your clients AND
hosting public servers in the same DMZ (in my opinion) is, that if a hacker
gets a hold of one of those public servers, he/she would potentially
(depending on yer config in the router) have access to all your clients who
also come into that same DMZ.
I do not know if this answers you question, but I would recommend using
private address in all DMZ's.
----- Original Message -----
From: "Steve Smith" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, August 22, 2000 4:17 PM
Subject: security
> Hey gang, a little OT but here is goes. I need a few "expert" opinions on
a
> sore subject.
>
> If you have a big WAN, ATM DS3 connecting 6 cities, with a single internet
> access point. Our "security" manger feels that we should have public IPs
> running in our DMZ and our WAN from city to city. Then NAT/PAT into each
> loction. The other way would be to have a DMZ at the internet access
point,
> leave them public for web servers and such, then NAT/PAT through the
> firewall for the rest of the WAN.
>
> Any feelings?
>
> Thanks in advance.
> Steve
>
>
>
>
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
