Firewall Wizards mailing list archives
DMZ best practices
From: "Perry, David" <perry () timpo osd mil>
Date: Thu, 14 Jan 1999 14:54:37 -0600
Some firewall implementations allow for an additional interface to be used as a DMZ. Does implementing a DMZ from additional firewall interfaces constitute a best practice? What are the risks associated with configuring a DMZ directly off an additional firewall interface? Or, should a DMZ be configured as an isolated subnet off the "outside" firewall interface? Also, is there an advantage to placing various discrete proxy servers (such as sendmail, http, dns, etc) in a DMZ rather than having a proxy-based firewall with integrated features? For example, suppose the firewall sports a "secure os" with built in split-dns, sendmail and http, but later it is determined that the sendmail version has a vulnerability. Now I might have to wait for the firewall vendor to issue patch to sendmail on the secure os'd platform. What about firewall CPU utilization and performance of integrated services such as those mentioned - would sendmail, http and dns proxies integrated on a single platform severly impede performance? Finally, what about reliability - a single point of failure for all these integrated services. I am trying to determine if its better to place discrete proxies and services (such as public web servers, sendmail, etc) as needed into a DMZ rather than relying on the firewall platform. Also, I am trying to determine what the best practices for implementation of a DMZ are. Thanks for your time. David Perry SRA International perry () timpo osd mil
Current thread:
- DMZ best practices Perry, David (Jan 15)
- Re: DMZ best practices Bennett Todd (Jan 19)
- <Possible follow-ups>
- Re: DMZ best practices John Kozubik (Jan 18)
- Re: DMZ best practices Jeromie Jackson (Jan 19)
- Re: DMZ best practices Amos Hayes (Jan 20)
- Re: DMZ best practices Dominique Brezinski (Jan 19)
- Re: DMZ best practices Jeromie Jackson (Jan 19)
- Re: DMZ best practices Bill_Royds (Jan 19)
- RE: DMZ best practices Andreas Haug (Jan 20)
- Re: DMZ best practices John Kozubik (Jan 20)
- Re: DMZ best practices Security (Jan 20)
- Re: DMZ best practices Dominique Brezinski (Jan 21)
(Thread continues...)