RE: Basic Network Configuration

["David Fore" <wdfore () ev1 net>]

If you want to go one step farther, you can have 2 interfaces on your
DMZ stuff, then put another firewall before your LAN. You would not
necessarily have a connection between the 2 firewalls. More admin, but
some believe more secure.

Internet<------>Firewall             Firewall<------>LAN------Internet
Proxy
                           |                       |
Mail Server
                           |     DMZ            |
DNS Server
                           |<->Proxy<---->|
                           |<->mail rly <->|
                           |<->DNS<----->|

Regards,
David
PGP 0xA19B5C17 (pubkey: ldap://keyserver.pgp.com)

-----Original Message-----
From: Ivan Coric [mailto:ivan.coric () workcoverqld com au] 
Sent: Tuesday, October 14, 2003 6:28 PM
To: security-basics () securityfocus com; ksmith () systemsalliance com
Subject: Re: Basic Network Configuration


Hi KC,
A traditional setup, and a good one. If possible don't allow any direct
comms from the LAN to the internet, or at least limit it.



internet<-------------------->Firewal<-------------------->LAN---------I
nternet proxy
                                                  |
|-------Mail Server
                                                  |
|-------DNS Server
                                               DMZ
                                        Internet Proxy
                                           Mail Relay
                                                DNS


Regards
Ivan


Ivan Coric
IT Technical Security Officer
Information Technology
WorkCover Queensland
Ph: (07) 30066414 Fax: (07) 30066424
Email: ivan.coric () workcoverqld com au

> > > "Smith, KC" <ksmith () systemsalliance com> 10/15/03 02:40am >>>
All,

Okay I know this is truly a basic question, but this is after all the
"security-BASICS" list!

Most LAN configs I've seen include two, separate pieces of hardware to
define the DMZ.  A firewall on the outside and another firewall or
policy switch on the inside is usually how I've seen that handled.

My new company uses 3 separate NICs in the same firewall.  One for
inbound, one for the LAN and one for the DMZ.  Each has it's own address
block.

It seems like using the firewall to do this makes sense, but I'd
appreciate some external confirmation on that.

The second issue is this: is there a rule of thumb to determine what
should and should not go in the DMZ vs. the LAN?  It seems to me that
anything that requires access from outside the network (Ex. DNS servers,
Mail servers, demo servers, etc.) should go in the DMZ.  True?

Thanks in advance.
KC Smith


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----







************************************************************************
***
Messages included in this e-mail and any of its attachments are those of
the author unless specifically stated to represent WorkCover Queensland.
The contents of this message are to be used for the intended purpose
only and are to be kept confidential at all times. This message may
contain privileged information directed only to the intended
addressee/s. Accidental receipt of this information should be deleted
promptly and the sender notified. This e-mail has been scanned by Sophos
for known viruses. However, no warranty nor liability is implied in this
respect.
**********************************************************************


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----





---------------------------------------------------------------------------
----------------------------------------------------------------------------