Ok, first, thank you by your attention.
So, I need a DMZ to run hosts with untrusted services (www, smtp etc), I
believe that is a good reason.
About the masquerading, I need this for my internal hosts, because I have a
little ip range, ok?
About the proxy, I need to do caching and so I could reduce the bandwidth
usage, ok? Am I correct ?
So, I�m thinking to do the Cisco router as external router and the Linux box
as the internal router and to make masquerading and proxy.
Do you agree with this ???
Best Regards
-------------------------------------------------
Alexandre de Oliveira
eCommerce Internet & Intranet Concepts
Fone: 5853-2131 / Fax: 5853-2164
----- Original Message -----
From: Hiemstra, Brenno <[EMAIL PROTECTED]>
To: 'Alexandre' <[EMAIL PROTECTED]>; Firewalls
<[EMAIL PROTECTED]>
Sent: Tuesday, October 31, 2000 1:55 PM
Subject: RE: DMZ
Alexandre,
Are u sure about the proxy thing and do you know what a proxy
all do ? Because maybe you are meaning a firewall.
A Cisco router has a the ability to act as a masquerading host
which is connected to the internet and the local LAN.
If you want to locally store websites for better web performance,
that's one thing what a proxy does in stead of only translating
internet adresses to local LAN addresses what a masquerading
host does. A Cisco router can't do this because it doesn't hold
a great amount of HD room for all this caching (or am I wrong?)
A proxy can also regulate the access to the internet for a special
group in your network (which you can specify on a NT domain
controller machine for example). I don't know if a Cisco router
has this ability, a linux box can. like seperation in who is able to
FTP, WWW, ICQ , etc etc
If your network is a very large one then masquarade from a very
fast machine which has it's connection onto the internet and the
local lan. Maybe you have to cluster them for single point of failure
For some security reasons I would let a proxy or firewall do the
masquerading
in stead of the external router because this also does the routing
for the DMZ. A masquerading host (proxy or firewall left behind) doesn't
do that because when you create a DMZ you generally don't translate
the IP addresses (internet to local addresses or the other way around).
Especially if you have more hosts in your DMZ.
>From a overview point your network could look like this:
INTERNET --{external router}-- DMZ --{masquerading host, firewall
preferred}-- LAN
If your external router has more then 2 interfaces you can let the
masquerading
host do the translation of the local internet addresses to the address of a
external router
interface which will route the package onto the internet.
A masquerading host, proxy or firewall, can view and drop IP packets higher
in the OSI
model then a regular Cisco router.
None of this traffic (if the router is configurred correctly) will go
through the DMZ.
As you can see this can be a complex environment and it all depends on
various
this (amount of internet IP addresses, design DMZ, amount of clients, etc)
This is a question that is very difficult to answer. In a small network the
external
router can also be the proxy and the firewall (who knows every thing is
possible now a
days).
And a question of my side.. Why do you need a DMZ ???
Greets,
/Brenno
> -----Original Message-----
> From: Alexandre [SMTP:[EMAIL PROTECTED]]
> Sent: dinsdag 31 oktober 2000 16:21
> To: Firewalls
> Subject: DMZ
>
> I looking for more opinions, I�m creating a DMZ with screened subnet
> architeture. That�s my doubt :
>
> - Who should have to do masquerading ? The internal or external
> router?
> - Who should have to do proxy? The internal or external router?
>
> To do this I have a Linux box and a Cisco Router. Who should be the
> external
> router ? Why ?
>
> ThankZ.
>
>
> Alexandre de Oliveira
>
>
>
>
> -------------------------------------------------
> Alexandre de Oliveira
> eCommerce Internet & Intranet Concepts
> Fone: 5853-2131 / Fax: 5853-2164
>
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
