firewalls, DMZ and Intranet

With a DMZ, you can compartmentalize. Your internal network would not be
directly exposed to the internet. You would place your Public services on
the DMZ, Web server, FTP server, Front end for SQL or Exchange/Mail.

That's the short skinny...for detail, read or search the net.
< XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...
> Thank you in advance for looking at my post.
>
> Pardon my ignorance since Firewall technology is not my specialty.
> Could someone be so kind as to explain the benefits of purchasing a
> firewall solution with DMZ capability. What would be the difference
> if i would purchase a firewall without DMZ hookup and just open the
> ports for FTP, or Web Service (to host my own web site)?
>
> The price difference between a Pix with and without dmz is about $700.
>
> Thank you in advance for your input.
>
> Respectfully
>
> NB

The DMZ has it's uses. Really the only purpose of a DMZ is to isolate
your public servers from everything else. If the DMZ gets hacked, the
LAN is still not accessible. In your suggested setup (the way I read
it anyway) the LAN would be accessible. Some people care about that,
some don't. Depends on what services your server runs and how
vulnerable they are to attack.

Of course the DMZ can be configured to do a bunch of stuff, but that's
the intended use.


-T.

From a home user standpoint, the only reason to have a FW solution with
DMZ is for when you need to make contact with another machine over the
Internet and you want to make sure you're making contact with the other
machine. It's a open or public area not protected by the FW that a
computer can be placed into and exposed to the public Internet.

DMZ is a viable solution in business networking situation, but is not
normally the same situation for a home user. You should avoid putting a
machine into the DMZ, unless you have a host based FW solution on the
machine and there is good reason for having a machine in the DMZ.
Otherwise, stay out of the DMZ at all cost and stay behind the FW and
learn how to open ports (port forwarding) ports on the FW to the
IP/machine that needs the ports open.

Also, most ISP's are not going to let you have a Web server operational
on their network and they do scan for it. In my case, I open the Web
server ports when I need to and close them when done to avoid that
disconnection of service email by the ISP being sent.

I guess my last piece of advise is do you need a high end FW solution at
this time? That's a lot of $$$ to be spending with a learning curve to be
faced, but it's nothing wrong with it.

There is the low-end NAT router with SPI or host based FW on the machine
that works well too, keeping some $$$ in the pocket.

Duane :)

--
The protection of the machine is a process and not a given!

With a firewall such as a PIX you should be able to set firewalling
rules for the DMZ interface as well, choosing what to filter and what
to let in.
Correct me if I am wrong because I'm not too familiar with the PIX
firewall, that's at least how it should be.


This is actually why you should use the DMZ.
You should put your public servers in the DMZ instead of your intranet
becase if those public servers would be breached then your intranet is
still out of risk.
So use the DMZ (or screened network which is a more correct term ;)
and use it well.
You should make a ruleset for it only letting the ports needed be open
and make sure your servers a hardened and scaled down as much as
possible, only the things you really need should be installed on those
servers.
If you can you should really look into security enhanced OS:s on which
your servers can be run (like web, mail, ftp, etc servers).
And if you have the ability/money/old computers to then you should run
one service per physical server.

/svek

server.columbus.rr.com:


I'll keep this in mind. I have had this Linksys wireless router
approaching three years. What is the life expectancy of these routers?

Thanks

Duane :)

--
The protection of the machine is a process and not a given!

In simple terms, a dmz is nothing but another connection off of the
firewall. The reason to care about having this extra connection is to
minimize exposure. You place machines which require public access (like a
web or mail server) in the dmz and limit connections from the outside to
only the services you wish to offer. The inside interface has the rest of your
network behind it and offers no outside access at all. It only allows
traffic to go out and the reply to that traffic back in.
As to whether you NEED a dmz, you say the extra interface costs $700.
How much is the information on your network worth? If your web server is
hacked and allows an intruder inside your network because the web server
is inside your network would you wish you had spent the money to isolate
it or is this a risk you can afford to take? Only you know. Answer this
and you will know what to do.
--
___________
John Holmes
XXXX@XXXXX.COM

>> How about this for your cheaper solution:

1) Install a Linksys (LS#1) connected to the internet, we'll call this
the DMZ Linksys.

2) Install a second Linksys (LS#2) with the WAN port connecting to the
LAN port on the DMZ Linksys (LS#1).

3) Port forward through DMZ Linksys to servers connected to the LAN in
DMZ Linksys network.

4) Put your computers in the Linksys LAN on LS#2.

With this setup your computers in the private lan (LS#2) will not be
reachable from the public computers in the DMZ, but your DMZ computers
will be reachable from the LAN and the internet.

I use this setup in test labs to isolate development teams from each
other.

Linksys 4Port VPN/Firewall appliances are $75 at BestBuy.

Leythos:

What security measures have you employed on the LAN port of the DMZ LinkSys
unit to protect it from a compromised DMZ server?

TIA

Leythos:

What security features does the DMZ LinkSys unit (#1) have to protect the
unit's mgmt s/w and the LAN ports from a compromised DMZ server?

For example:
My Netgear RT 314 allows me to block all TCP/IP access to it's mgmt s/w and
use a DB9 serial connector. Does the LinkSys unit support that? Can you
create/change the mgmt s/w user acct & password? Can you control how the
mgmt s/w is accessed (protocols, ports, etc)?

My Netgear has strong packet filtering rules on the LAN port (and the WAN
port). Does the LinkSys?

TIA