On 28/12/01 17:38 +0500, Roman Serbski wrote: > Probably this is OT (I'm sorry), but could someone point me to URLs > where I could find information about DMZ organizing? > I have main firewall with three NICs, one goes to private LAN, second > one to DMZ, third one to ISP. Is there any basic document about where to > place service servers (for example mail, proxy, dhcp, modem pool, etc) > from the security and efficiency point of view. Generally, services that you want to offer to the public, but are important to you , like your website, go into the DMZ. Stuff that you can ignore, or have to put outside your netowrk firewall (like a gateway router) is in the public network.
SMTP, you have inbound MX servers in the public network, which drop a lot of SPAM delivering to internal MX systems which do antivirus checking and these deliver to Mailbox servers in the private network. To get your mail, you connect to a pop|imap proxy in the DMZ, which connects to the appropriate mailbox server and then delivers the mail to the MUA. DHCP should probably go in the public network, modem pool for employees would be in the DMZ (dialup ISPs modem pools go in the public network). A properly configured proxy running only the proxy services can be placed in the public network, but you might want to treat it more like an application layer firewall for your internal network. Webservers go in the DMZ, accelerating proxies in the public network. Database servers should be in the internal network. Hope this helps Devdas Bhagat
