Brian,
It's generally a bad idea to have your web servers on the external router
segment like that. The whole idea of putting the DMZ on a separate
interface of the firewall is to allow you the added granularity in
controlling access to those machines. Typically, people allow something
like "ANY web-server HTTP/HTTPS Accept" and "web-server backend-db-server
sqlnet Accept" in a scenario like that. In 90% of the cases I've seen, you
don't need much more than that (unless this is a large B2C type
application.) Doing so greatly limits the likelyhood of someone doing a
NON HTTP BASED attack against your web servers.....
Hope this helps.
Jason
At 10:04 PM 1/25/01 -0500, Brian Aust wrote:
>
>Okay.... I've got to ask a stupid question here.
>
>I've seen several posts on this thread describing a traditional DMZ as an
>extra NIC or two in the firewall from which DMZ machines branch off.
>
>I've always thought that a DMZ was off the router. Such as:
>
> Internet
> |
> |
> |
> ---Router---
> | |
> Firewall DMZ boxes
> |
> |
> Internal LAN
>
>
>Is this also a reasonable DMZ, or is having boxes directly off the router
>generally a no-no? I've got a hub sitting directly off the router, to which
>i have 3 machines attached in what i consider a DMZ. Is this reasonable?
>Stupid?
>
>If a DMZ is off a 3rd NIC on the firewall, the firewall software does NO
>protection, correct? It just passes all traffic to that subnet without
>questions? Or does it also do some protection of DMZ boxes?
>
>Cheers,
>Brian Aust
>
>-----Original Message-----
>From: Dean Cunningham
>To: '[EMAIL PROTECTED]'
>Sent: 1/25/01 9:15 PM
>Subject: RE: [FW1] If a single firewall with 3 NIC's a considered a DMZ?
>
>
>Hi Alan,
>Just to extend it a bit, there is no reason to limit your thoughts to
>just
>"a dmz".
>You can have multiple DMZs to keep your paranoia and your security
>policy
>happy :-)
>for example you could decide to put your dialup users in a separate dmz
>to
>limit their access to internal resources and to protected them from
>potentially compromised machines in "the dmz"
>
> Internet
> |
> |
> Router
> |
> |
>Dialup Users -------Firewall ------- Web servers
> |
> |
> Internal network
>
>-----Original Message-----
>From: James Edwards [mailto:[EMAIL PROTECTED]]
>Sent: Friday, 26 January 2001 5:37 AM
>To: 'Allan Pratt'; [EMAIL PROTECTED]
>Subject: RE: [FW1] If a single firewall with 3 NIC's a considered a DMZ?
>
>
>
>Try this:
>
>Internet
> |
> |
>Firewall ------- Web servers
> |
> |
>Internal network
>
>
>You wouldn't want your web server and other stuff just hangin out in the
>breeze like your first example and having two firewalls, while more
>secure
>is a lot of overhead. This way, you use one firewall to control access
>to
>your DMZ from both the inside and outside networks.
>
>This is what I always understood to be the "classic" DMZ layout.
>
>Jim Edwards
>Systems Manager
>Texas Secretary of State
>
>-----Original Message-----
>From: Allan Pratt [mailto:[EMAIL PROTECTED]]
>Sent: Thursday, January 25, 2001 9:28 AM
>To: [EMAIL PROTECTED]
>Subject: [FW1] If a single firewall with 3 NIC's a considered a DMZ?
>
>
>
>
>
>Hi,
>
>Please help settle some confusion.
>
>If a single firewall with 3 NIC's a considered a DMZ?
>
>I always thought that a DMZ was:
>
>Internet Access router <=> web/ftp servers & Bastion host <=>
>Firewall
>
>or better yet...........
>
>
>Internet Access router <=> Firewall <=> web/ftp servers & Bastion host
>
><=> Firewall
>
>
>Please clarify
>
>Thanks.
>
>
>
>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com
>
>
>
>========================================================================
>====
>====
> To unsubscribe from this mailing list, please see the instructions
>at
> http://www.checkpoint.com/services/mailing.html
>========================================================================
>====
>====
>
>
>========================================================================
>====
>====
> To unsubscribe from this mailing list, please see the instructions
>at
> http://www.checkpoint.com/services/mailing.html
>========================================================================
>====
>====
>***************************************************
>This e-mail is not an official statement of the
>Waikato Regional Council unless otherwise stated.
>Visit our website http://www.ew.govt.nz
>***************************************************
>
>
>========================================================================
>========
> To unsubscribe from this mailing list, please see the instructions
>at
> http://www.checkpoint.com/services/mailing.html
>========================================================================
>========
>
>
>===========================================================================
=====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>===========================================================================
=====
>
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
