Security Basics mailing list archives
RE: Basic Network Configuration
From: "David Fore" <wdfore () ev1 net>
Date: Wed, 15 Oct 2003 11:26:42 -0500
If you want to go one step farther, you can have 2 interfaces on your DMZ stuff, then put another firewall before your LAN. You would not necessarily have a connection between the 2 firewalls. More admin, but some believe more secure. Internet<------>Firewall Firewall<------>LAN------Internet Proxy | | Mail Server | DMZ | DNS Server |<->Proxy<---->| |<->mail rly <->| |<->DNS<----->| Regards, David PGP 0xA19B5C17 (pubkey: ldap://keyserver.pgp.com) -----Original Message----- From: Ivan Coric [mailto:ivan.coric () workcoverqld com au] Sent: Tuesday, October 14, 2003 6:28 PM To: security-basics () securityfocus com; ksmith () systemsalliance com Subject: Re: Basic Network Configuration Hi KC, A traditional setup, and a good one. If possible don't allow any direct comms from the LAN to the internet, or at least limit it. internet<-------------------->Firewal<-------------------->LAN---------I nternet proxy | |-------Mail Server | |-------DNS Server DMZ Internet Proxy Mail Relay DNS Regards Ivan Ivan Coric IT Technical Security Officer Information Technology WorkCover Queensland Ph: (07) 30066414 Fax: (07) 30066424 Email: ivan.coric () workcoverqld com au
"Smith, KC" <ksmith () systemsalliance com> 10/15/03 02:40am >>>
All, Okay I know this is truly a basic question, but this is after all the "security-BASICS" list! Most LAN configs I've seen include two, separate pieces of hardware to define the DMZ. A firewall on the outside and another firewall or policy switch on the inside is usually how I've seen that handled. My new company uses 3 separate NICs in the same firewall. One for inbound, one for the LAN and one for the DMZ. Each has it's own address block. It seems like using the firewall to do this makes sense, but I'd appreciate some external confirmation on that. The second issue is this: is there a rule of thumb to determine what should and should not go in the DMZ vs. the LAN? It seems to me that anything that requires access from outside the network (Ex. DNS servers, Mail servers, demo servers, etc.) should go in the DMZ. True? Thanks in advance. KC Smith ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ************************************************************************ *** Messages included in this e-mail and any of its attachments are those of the author unless specifically stated to represent WorkCover Queensland. The contents of this message are to be used for the intended purpose only and are to be kept confidential at all times. This message may contain privileged information directed only to the intended addressee/s. Accidental receipt of this information should be deleted promptly and the sender notified. This e-mail has been scanned by Sophos for known viruses. However, no warranty nor liability is implied in this respect. ********************************************************************** ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Basic Network Configuration, (continued)
- RE: Basic Network Configuration David Gillett (Oct 16)
- Re: Basic Network Configuration DRAx (Oct 16)
- Re: Basic Network Configuration Ansgar -59cobalt- Wiechers (Oct 16)
- RE: Basic Network Configuration David Gillett (Oct 16)
- Re: Basic Network Configuration 'Ansgar -59cobalt- Wiechers' (Oct 16)
- RE: Basic Network Configuration David Gillett (Oct 17)
- Re: Basic Network Configuration 'Ansgar -59cobalt- Wiechers' (Oct 17)
- Ports used by VTAM Naren - Pactech (Oct 17)
- RE: Basic Network Configuration David Fore (Oct 15)