On Mon, 2004-08-09 at 16:14, Steve Melo wrote: > I have a question about setting up a DMZ. My understanding is that on a > switch layer 3 communication cannot happen with out a router, so would it be > safe to have 3 separate networks, (one for the internet, one for the dmz and > one for the lan) all connected to the same switch? My idea is that the > switch does not have the ability to connect the separate networks and all > routing happens at the firewall machines. Any thoughts or suggestions? > > > > > __________ ____________ > eth0 ___________ > ( ) ppp0 | FIREWALL | eth1 > ___switch-____ <-------->| FIREWALL | > ( INTERNET ) <----------> | one | > <-------------->|____________| | two | > (____________) |__________ | > ^ ^ <--------->|___________| > > | | eth1 > > | | > > eth0 | | > > ===== _______ > > | ---- | ( ) > > | | ( LAN ) > > | | (_______) > > ========= > > | Email Srvr | > > > DMZ: > 192.168.1.0/24 is the DMZ network > > Firewall one: > eth0/ppp0 dynamic IP address > eth1 attached to 192.168.1.0/24 > > Firewall two: > eth0 attached to 192.168.1.0/24 > eth1 attached to 192.168.2.0/24 > > Email server: > eth0 attached to 192.168.1.0/24 > > LAN: > 192.168.2.0 is the local area network >
The idea of a separate dmz is to have a separate "Physical" and numerical subnet.. So your way, a compromised server could see everything with just an ARP command and continue freely to explore.. Better to have the physical separation.. Regards, Peter
