Re: Basic Network Configuration

[cc <cc () belfordhk com>]

Smith, KC wrote:

> All,
>
> Okay I know this is truly a basic question, but this is after all the "security-BASICS" list!
>
> Most LAN configs I've seen include two, separate pieces of hardware to define the DMZ.  A firewall on the outside and 
> another firewall or policy switch on the inside is usually how I've seen that handled.
>
> My new company uses 3 separate NICs in the same firewall.  One for inbound, one for the LAN and one for the DMZ.  
> Each has it's
own address block.
>

Perhaps you could clarify something.  As far as I've read, I've seen
DMZ charts of the following type:

Internet ->  Firewall (DMZ) -->DMZ-->Firewall(LAN)-->LAN

Can someone point out to me if this is a correct(albeit
basic) rendition of what a DMZ-based network configuration
is?

What I don't understand here is why a DMZ firewall would have
an inbound nic, a DMZ nic and a LAN nic?  Wouldn't
a DMZ just have the inbound/outbound NIC and the DMZ
nic?  Can someone clarify this?

> The second issue is this: is there a rule of thumb to determine 
> what  should and should not go in the DMZ vs. the LAN?  It 
> seems to me that anything that requires access from outside 
> the network (Ex. DNS servers, Mail servers, demo servers, etc.) 
> should go in the DMZ.  True?

I think that looks very reasonable.  I'm still looking around for
information on this, but so far, I've reached an initial
conclusion that any DMZ/LAN determiniations would depend
entirely on one's company's security/network policy.

Sometimes I wish I took a computer degree in network
security and with the rise in computer security awareness,
the post of Chief Systems Security Officer looks very
attractive.






---------------------------------------------------------------------------
----------------------------------------------------------------------------