Implementing a DMZ
Posted on 2004-08-04
Thanks for taking a minute... Please bear with me, I'm a CCNA, but still somewhat green in practical application.
I need to implement a DMZ for my corporation, and have been tasked with doing the research.
I'd like to tell you what I have in mind, and perhaps some of you can tell me if I'm on the right track, or smokin' crack.
My perception of what a DMZ is, or should be...
In a sentence...
A DMZ is a somewhat less secure network, that exists (physically) between your private (secure) network, and a public network.
How can this be accomplished?
How about two routers, each with 2 serial interfaces.
Router A has serial 0 tied to the public network, and serial 1 tied to the DMZ
Router B has serial 1 tied to the DMZ, and serial 0 tied to the private network
Via programming, no traffic, of any kind, is passed directly between RouterA, serial 0, and Router B, serial 0.
Router B, serial 0 is, in theory, the ONLY point of access to/from the private network.
All outside access, network or remote, must authenticate within the DMZ first, and then may be allowed a shot at authenticating to the private network.
As far as the basic structure, is this fundamentally correct, or flawed?
Could the same thing be accomplished with a single router, having 4 serial interfaces, and proper programming?
I know that there are many other things to consider; authentication, remote access, NAT, bandwidth, etc...
To start, however, I just need to get a grip on the fundamental design aspects, starting with the h'ware, etc...
Thanks for being patient, and any responses are greatly appreciated.