Re: DMZ or not ?

["Cristiano Lincoln Mattos" <lincoln () cesar org br>]

Hi,

> We are in way now, to install a public web server and a DNS server. What
are
> de advantages and disadvantages of placing this servers >behind the
firewall and perform
> NAT or Port forwarding, instead of  using a DMZ ?

    You should *never* put publicly acessible servers on your internal
network, where the "other" computers are. Note that i don't say you should
not put them behind a firewall... only not in the same net as your internal
computers.  The reason for this is that these servers are, well, public -
therefore, more likely to be attacked.  If someone succeeds in penetrating,
say, the webserver, he will have instant access to your internal network.
    The architecture that i would recommend would be your firewall having
(at least) 3 network cards, one for the external network,  one for your
internal network, and the other for the publicly available servers.  With
this,
you can isolate your networks apropriately, containing the damage caused
by an eventual attack.
  Needless to say, you should have a very high degree of host-based security
on your public servers and the firewall.

> Currently, we're using Linux as a Firewall Box, with a port forwarding to
our mail server, that is behind the firewall.
> > We are in way now, to install a public web server and a DNS server. What
are de advantages and disadvantages of placing this servers > >behind the
firewall and perform
> NAT or Port forwarding, instead of  using a DMZ ?

  You should use NAT for your internal network.  I dont really see signi-
ficant security advantages to using NAT on your public servers: you can do
it all with published IP's and proper rules on your firewall.  You may have
to use published IP's anyway, depending on the type of services you offer,
and
if your firewall provides these services, in NAT mode.

- Cristiano Lincoln Mattos