Beginners Guide to DMZs ?? Help! (NT domains)

[Jesse Rink]

Please be kind.  I admit to knowing little about firewalls and DMZs but that's why I'm here...  I know enough to be considered dangerous (when it comes to project planning that is).   Here's my situation. I have an internal LAN which consists of a private internal network (172.17.17.0/24) with a Cisco PIX Firewall between the private internal network and our direct connection to the Internet.   LAN-----Firewall-----Internet   We also have 3 servers which are located between our firewall and the internet (as far as I can tell) and they use a PUBLIC external IP address provided to us from our ISP.   LAN-----Firewall------Internet                   |                   |                Servers   Server #1 - Outlook Web Access server (connects to our internal Exchange server) Server #2 - Internet/Intranet Web server Server #3 - Weather Station server   Question #1 - Common sense tells me that all 3 servers using those external IP addresses are VERY susceptable to attacks.  Without a firewall between them and the internet, they are fair game to hackers, correct?   Question #2 - Would a good solution be to move all 3 servers to a DMZ?  I'm not sure if DMZ is the right "term" but this is what I mean:  Change the IP address all the 3 machines from an external public IP address to an internal private IP address which is isolated from any used on our LAN (for example, I could use 172.17.30.0/24).    LAN-----Firewall-----Internet            |            |           DMZ   LAN - Internal network address of 172.17.17.0 DMZ - Internal network address of 172.17.30.0   Is this a good start?  Now, am I correct in assuming that I would also have to use some sort of NAT on the firewall so that when requests from the internet could still be resolved to the external public IP address, but the firewall would translate that IP address to the correct internal private address?    For example: If someone from the internet wanted to access to the Weather Station server, they would enter in the same DNS name (or public IP address) and my firewall should be set to KNOW that when requests for that particular IP address is made, to pass that request to the internal private IP address of the Weather Station server.  Of course, the firewall would also check the port rules to make sure that request was valid or inappropriate.   Argh, next question....   Question #3 - I've heard the NT domain used in the DMZ should be different than the NT domain used in the internal private network.  Though, the DMZ can be used as a resource domain if necessary, but not the other way around.  Can you shed some light?       Hmm.. Am I making any sense? haha.. please let me know and keep any answers as detailed as possible since I seem to be a bit lost here.  THANK YOU SO MUCH.