Generally employing not only different firewall manufacturers, but different classes of firewalls. Packet filter outside the DMZ, app proxy behind.
Glenn -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Laura A. Robinson Sent: Thursday, April 04, 2002 5:57 PM To: Noonan, Wesley; 'kk downing'; [EMAIL PROTECTED] Subject: Re: Basic DMZ Setup Questions... 85-90% of our clients. That's a conservative estimate. Laura ----- Original Message ----- From: "Noonan, Wesley" <[EMAIL PROTECTED]> To: "'kk downing'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, April 04, 2002 5:30 PM Subject: RE: Basic DMZ Setup Questions... > Every bank I have ever worked with. > > Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS > Senior QA Rep. > BMC Software, Inc. > (713) 918-2412 > [EMAIL PROTECTED] > http://www.bmc.com > > > -----Original Message----- > From: kk downing [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 04, 2002 16:12 > To: [EMAIL PROTECTED] > Subject: Re: Basic DMZ Setup Questions... > > With the rise of firewall applicances and and > multi-nic cards many organizations run a collaped > DMZ. Obviously the two firewall architecture is a good > idea but how many organizations actually pick two > different firewall vendors and apply this approach? > > > --- "Laura A. Robinson" <[EMAIL PROTECTED]> > wrote: > > I wouldn't oversimplify like that. Collapsed > > structure versus two firewalls > > is a very debatable topic. Why? Because if I hack > > your external firewall > > (the firewall itself, not a machine behind it) and > > your *separate* internal > > firewall is a *different* firewall, all I've done so > > far is compromise your > > DMZ. If you have a single firewall and there's an > > exploit out there for it > > that you've not yet patched against or a hack you > > don't know about, when I > > compromise your firewall I've now potentially > > compromised your entire > > network. > > > > With that said, as I steadfastly maintain, a > > firewall is merely a speed bump > > against a skilled, dedicated intruder. > > > > Laura > > ----- Original Message ----- > > From: "Clifford Thurber" > > <[EMAIL PROTECTED]> > > To: "Laura A. Robinson" <[EMAIL PROTECTED]>; > > "Bill Royds" > > <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; > > <[EMAIL PROTECTED]> > > Sent: Thursday, April 04, 2002 4:29 PM > > Subject: Re: Basic DMZ Setup Questions... > > > > > > > This was traditionaly the architecture before the > > DMZ became collapsed. > > > > > > At 12:13 PM 4/4/2002 -0500, Laura A. Robinson > > wrote: > > > >A "true" DMZ may have a firewall between the > > Internet and the DMZ, as > > well > > > >as between the DMZ and the intranet. > > > > > > > >Laura > > > >----- Original Message ----- > > > >From: "Bill Royds" <[EMAIL PROTECTED]> > > > >To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > > >Sent: Wednesday, April 03, 2002 8:11 PM > > > >Subject: RE: Basic DMZ Setup Questions... > > > > > > > > > > > >A true MZ is the net between the firewall and the > > Internet, not behind a > > > >firewall. If this is the case, then you have the > > choice of a public > > address > > > >or a simple 1-1 NAT (IP redirect) set up on your > > NAT enabled router. If > > your > > > >router can handle Port Address Translation, where > > it sends the traffic > > from > > > >a single Internet address to separate servers > > depending on destination > > port, > > > >you can save Internet IP space by using private > > addresses. But your > > servers > > > >are not being protected by your firewall. > > > > > > > >If it is the more common server segment on a > > third NIC of the firewall, > > then > > > >it can use private address space, either IP > > redirect, PAT or full dynamic > > > >NAT. But it still would be a good idea to set up > > this server segment with > > a > > > >separate subnet address to ease routing and rule > > making on the firewall. > > > > > > > >-----Original Message----- > > > >From: [EMAIL PROTECTED] > > > >[mailto:[EMAIL PROTECTED]]On Behalf > > Of John S. Strock > > > >Sent: Wed April 03 2002 18:26 > > > >To: [EMAIL PROTECTED] > > > >Subject: Basic DMZ Setup Questions... > > > > > > > > > > > >I have a few questions regarding setting up a > > DMZ. Currently our > > > >public servers are behind our LAN port on our > > Firewall, with only the > > > >ports we need opened. I would like to move these > > server to the DMZ > > > >port of our SonicWall DMZ firewall. My question > > is...once I put > > > >something in the DMZ, do I need to give it a > > different IP address, > > > >meaning do I need to change it from an internal > > LAN IP to a external > > > >WAN IP? Currently, my NAT router handle's that. > > And if I do give it a > > > >WAN IP, does that mean I take it out of my NAT > > table? I plan on using > > > >our HP Switch to create 2 VLAN's, one for our LAN > > and one for the DMZ > > > >Zone (currently our switch is not VLANed and it's > > used for our internal > > > >LAN). Would this work, is this a good idea? Can > > you give me any basic > > > >setup ideas/suggestions? > > > > > > > >Thanks! > > > > > > > >John > > > >_______________________________________________ > > > >Firewalls mailing list > > > >[EMAIL PROTECTED] > > > >http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > > >_______________________________________________ > > > >Firewalls mailing list > > > >[EMAIL PROTECTED] > > > >http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > > >_______________________________________________ > > > >Firewalls mailing list > > > >[EMAIL PROTECTED] > > > >http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Tax Center - online filing with TurboTax > http://taxes.yahoo.com/ > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
