Firewall Wizards mailing list archives
RE: DMZ or not ?
From: Ben Nagy <bnagy () cpms com au>
Date: Mon, 11 Oct 1999 09:52:37 +0930
Hm. Tom, why do you presume that the protection offered by a router with decent ACLs is going to be any worse than a firewall? In some cases it's true, but for simple-simon upper layer protocols like HTTP then unless you're using an amazing application proxy (and arguably not even then) you often gain very little and lose speed. The basic argument is that once you're allowing people access to the WWW service then you've lost most of the battle - they can get at all your CGI scripts, ASPs or what-the-hell-ever you have sitting around waiting for a remote exploit. The "Classic" DMZ offers the same level of protection for the internal network, so that's not an issue... Finally, _static_ NAT may be security by obscurity, but dynamic NAT does actually improve security by only making connections to dynamically mapped hosts available for a short time, and only after a connection has been initiated. This is not an issues for incoming WWW and DNS in this case though. Fabio, I would certainly recommend getting those WWW servers out of the internal network and into some kind of DMZ. As Tom points out, this helps prevent the WWW server being used as a staging point to mount an attack on the internal network. Personally, if you have a router, I think you'll get (slightly) better WWW performance and not lose much security by putting the WWW server directly behind the router, as long as you can mess with its access control lists. If it's not your router, I'd hang another NIC off the firewall. Make sure you've taken all the sensible precautions relevent to your particular DNS server - you don't want people to be able to mess with your DNS. Cheers, -- Ben Nagy Network Consultant, CPM&S Group of Companies PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-----Original Message----- From: Thomas Crowe [mailto:thomas.crowe () bellsouth net] Sent: Friday, 8 October 1999 9:59 PM To: fgb () domain com br; firewall-wizards () nfr net Subject: RE: DMZ or not ? That depends a lot on what definition of a DMZ your using! If you mean the classical definition of a DMZ i.e. in between the router and the firewall *unprotected* except by router acl's, then my advice would be, don't do it, not under any circumstances! (ok maybe one or two circumstances). If your referring to the somewhat more contemporary definition of a DMZ i.e. another interface off your firewall, where as all traffic must still traverse the firewall, then I would say go for it, that way *when* your public machines get hacked your internal network is still protected, this is good; very good :-). NAT is a good thing but it is security through obscurity which isn't very secure in and of itself. Just my $0.02 Thomas Crowe Production Network Systems Administrator BellSouth Online 678-441-7454-----Original Message----- From: owner-firewall-wizards () lists nfr net [mailto:owner-firewall-wizards () lists nfr net]On Behalf Of fgb () domain com br Sent: Wednesday, October 06, 1999 9:57 AM To: firewall-wizards () nfr net Subject: DMZ or not ? Hello wizards, Divergences are occurring here im my officce about the use of a DMZ, and I hope the wizards will give me some explanations and/or secure informations about the better implementation. Currently, we're using Linux as a Firewall Box, with a port forwarding to our mail server, that is behind the firewall. We are in way now, to install a public web server and a DNS server. What are de advantages and disadvantages of placing this servers behind the firewall and perform NAT or Port forwarding, instead of using a DMZ ? Which of the options shoud I implement here in my officce, to have a secure site ? Thanks and regards, Fábio Baptista fgb () domain com br
Current thread:
- DMZ or not ? fgb (Oct 06)
- RE: DMZ or not ? Thomas Crowe (Oct 08)
- Re: DMZ or not ? Frederick M Avolio (Oct 12)
- <Possible follow-ups>
- RE: DMZ or not ? Ben Nagy (Oct 12)
- RE: DMZ or not ? Moore, James (Oct 12)
- RE: DMZ or not ? Thomas Crowe (Oct 12)
- RE: DMZ or not ? Mike Coppage (Oct 13)
- RE: DMZ or not ? Thomas Crowe (Oct 16)
- Re: DMZ or not ? Mikael Olsson (Oct 16)
- Re: DMZ or not ? Cristiano Lincoln Mattos (Oct 12)
- RE: DMZ or not ? Harris Raymond D JR CIV AFAA/MSI (Oct 12)
- RE: DMZ or not ? sean . kelly (Oct 12)