I wouldn't oversimplify like that. Collapsed structure versus two firewalls is a very debatable topic. Why? Because if I hack your external firewall (the firewall itself, not a machine behind it) and your *separate* internal firewall is a *different* firewall, all I've done so far is compromise your DMZ. If you have a single firewall and there's an exploit out there for it that you've not yet patched against or a hack you don't know about, when I compromise your firewall I've now potentially compromised your entire network.
With that said, as I steadfastly maintain, a firewall is merely a speed bump against a skilled, dedicated intruder. Laura ----- Original Message ----- From: "Clifford Thurber" <[EMAIL PROTECTED]> To: "Laura A. Robinson" <[EMAIL PROTECTED]>; "Bill Royds" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, April 04, 2002 4:29 PM Subject: Re: Basic DMZ Setup Questions... > This was traditionaly the architecture before the DMZ became collapsed. > > At 12:13 PM 4/4/2002 -0500, Laura A. Robinson wrote: > >A "true" DMZ may have a firewall between the Internet and the DMZ, as well > >as between the DMZ and the intranet. > > > >Laura > >----- Original Message ----- > >From: "Bill Royds" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > >Sent: Wednesday, April 03, 2002 8:11 PM > >Subject: RE: Basic DMZ Setup Questions... > > > > > >A true MZ is the net between the firewall and the Internet, not behind a > >firewall. If this is the case, then you have the choice of a public address > >or a simple 1-1 NAT (IP redirect) set up on your NAT enabled router. If your > >router can handle Port Address Translation, where it sends the traffic from > >a single Internet address to separate servers depending on destination port, > >you can save Internet IP space by using private addresses. But your servers > >are not being protected by your firewall. > > > >If it is the more common server segment on a third NIC of the firewall, then > >it can use private address space, either IP redirect, PAT or full dynamic > >NAT. But it still would be a good idea to set up this server segment with a > >separate subnet address to ease routing and rule making on the firewall. > > > >-----Original Message----- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED]]On Behalf Of John S. Strock > >Sent: Wed April 03 2002 18:26 > >To: [EMAIL PROTECTED] > >Subject: Basic DMZ Setup Questions... > > > > > >I have a few questions regarding setting up a DMZ. Currently our > >public servers are behind our LAN port on our Firewall, with only the > >ports we need opened. I would like to move these server to the DMZ > >port of our SonicWall DMZ firewall. My question is...once I put > >something in the DMZ, do I need to give it a different IP address, > >meaning do I need to change it from an internal LAN IP to a external > >WAN IP? Currently, my NAT router handle's that. And if I do give it a > >WAN IP, does that mean I take it out of my NAT table? I plan on using > >our HP Switch to create 2 VLAN's, one for our LAN and one for the DMZ > >Zone (currently our switch is not VLANed and it's used for our internal > >LAN). Would this work, is this a good idea? Can you give me any basic > >setup ideas/suggestions? > > > >Thanks! > > > >John > >_______________________________________________ > >Firewalls mailing list > >[EMAIL PROTECTED] > >http://lists.gnac.net/mailman/listinfo/firewalls > > > >_______________________________________________ > >Firewalls mailing list > >[EMAIL PROTECTED] > >http://lists.gnac.net/mailman/listinfo/firewalls > > > >_______________________________________________ > >Firewalls mailing list > >[EMAIL PROTECTED] > >http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
