Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Setting up DMZ

Posted on 2003-02-20
Medium Priority
Last Modified: 2010-04-11
ok, i'm in the process of building a dmz... have nokia ip330 setup with checkpoint ng, fp3... i need to find documents on how to build this? i've searched all through checkpoints knowledge base, not enough info..

- what i need is from the beginning, objects i need to make (putting exchange out there)
- rules i need to make
- also, have securemote users that need access to exchange server remotely
- need to ensure corporate lan will NOT have issues getting email from dmz

any help or direction to find this will be beyond GREATLY APPRECIATED....

Question by:foad

Expert Comment

ID: 7988162
I hope you don't take this the wrong way but I really hope you're not doing this for a business because you're basically asking for an entire setup scenario, something you should already know how to do if you are in charge of this for a company.

Secondly...what kind of a DMZ are you looking for?  I would need more information...how are you wanting to lock things down?  What devices do you have in your network besides exchange?  A DMZ can mean different things...you can have a dirty DMZ, you have create a sandwhiched type DMZ where you have multiple firewalls...but you pointed out you only have a single checkpoint box...so what you're creating really isn't a true DMZ in the sense its mostly used.  DMZs are mostly used to segment parts of networks, moreso than just the classic, Internet -> LAN segment.  

So what you're wanting to know is simply how to setup your firewall to separate your LAN from the Internet??  Or do you have multiple boxes or other devices you can use to segment and route traffic??  More info is needed here.


Accepted Solution

Gruff66 earned 800 total points
ID: 8015909
Let's start from the beginning then.
You have an external interface on the firewall, eth-s3p1c0 (probably), and an internal interface (eth-s1p4c0 ?). On an IP330 this will leave you with a spare interface.

In Nokia Voyager, go into interfaces and configure the spare interface with an RFC1918 address that does not clash with any of your internal nets ( perhaps with a 24 bit mask ( In the Physical interface part of the interface configure the speed of the interface to match the switch / hub to which the inteface will connect 10/half or 100/full.

In the Interface section make sure that the interface is set to ACTIVE. When you plug it into the switch/hub you should see the link status as UP.

That's the hard bit done ;-). Next you need to decide what to put in the DMZ. I would not recommend putting a Mail server in there, but instead a content checking device such as MailSweeper.

Generally, you would configure any server in this network with a 172.16.0.x address and make it's default gateway 172.16.0.y where the y is the address of the firewall interface on this network. You would then need to configure the FW software to use NAT to translate traffic. You would designate an IP address from your ISP range to the server and allow certain traffic from the internat on a specific port to the ISP address assigned. You would then configure a NAT rule to redirect the traffic to this destination to the 172.16.0.x address.

You will nedd to add an ARP entry to the firewall to ensure the External interface of the firewall knows to accept the traffic, and a static route on the firewall to make sure it routes correctly. In NG FP3 these two parts can be done automatically by using Automatic NAT, although this can limit functionality, iot would probably suffice in this instance.

Gimme a shout if you need anything else


Author Comment

ID: 8016556
Thanks, that's exactly what i was looking for.... Works great...

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Each password manager has its own problems in dealing with certain websites and their login methods. In Part 1, I review the Top 5 Password Managers that I've found to be the best. In Part 2 we'll look at which ones co-exist together and why it'…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question