Pros/Cons of DMZ subnet

Posted on 2005-05-06
Medium Priority
Last Modified: 2012-06-21
I got a PIX 515e-Restricted-DMZ firewall which has 3 interfaces which I believe is a in, out, and DMZ.  I know I need to configure the "out" with a public address and the "in" with a private network address.  I got a bunch of servers and a mail server that needs to be seem on the outside.  Is it require that I use a DMZ to make this work?  And what are the Pro's/Con's of a DMZ?
Question by:Pentrix2
  • 2
  • 2
LVL 19

Accepted Solution

nodisco earned 1000 total points
ID: 13950289

The inside, outside and DMZ interfaces on your PIX 515e have assigned security levels - e.g. Inside 100, DMZ 50, Ouside 0.
Traffic will not pass from a lower security interface to a higher one unless you explicitly say so, i.e. traffic will not go from outside>DMZ, from DMZ>inside or Outside>inside.

The DMZ is the ideal solution for what you are looking to achieve.  You are placing servers in a location where you can control outside access to them and also control their access to the inside (your internal LAN).  A common deployment would be putting outside-facing webservers in the DMZ : You can allow www browsing ONLY to them from the outside and can update them from the inside - while the machine is residing in the "safe area" of the DMZ.

You may have been assigned a range of public ip addresses from your ISP.  e.g.

To configure ip addresses of interfaces:

conf t
ip address outside
ip address inside
ip address DMZ

(Addresses and masks will be in line with your ISP and your local and DMZ networks)

You then need to create static translations from the DMZ to outside and create access-lists to define what outside access should be:

E.g. to setup a webserver in the DMZ:
conf t
static (dmz,outside) netmask 0 0
(where is the ip address of the webserver in the DMZ)
access-list outside_int permit tcp any host eq www
access-group outside_int in interface outside

Have a look at the link below for full details of setting up a mailserver in the DMZ.  The method is the same

Hope this helps
LVL 13

Assisted Solution

Dr-IP earned 1000 total points
ID: 13958240
The only cons of a DMZ are you need an additional interface on the firewall, and additional public addresses for the DMZ zone.

The best way to look at a DMZ zone is to picture it as a place between your LAN, and the internet. It’s a good place to place your web servers, or email server (ideally just a mail relay server that forwards the email to your main mail server on the LAN), so that if one of them become compromised they don’t have direct and full access to the LAN like a host that is NATed on the LAN, and has ports forwarded to it from public addresses accessible from the internet. At the same time the hosts in the DMZ can be protected from people trying to for example telnet to them, or attach to their NetBIOS ports if they are for example a Windows machine, yet the computers on the LAN can have full access to these hosts if desired so you can manage them.

In my opinion there is no substitute for a DMZ zone although a lot of companies don’t have them, the thing is if one the those hosts they have NATed on the LAN ever becomes compromised, it’s all over, as there will be nothing to protect the computers on the LAN from that compromised machine.          

Author Comment

ID: 13958495
We are running a Domino server.  How would I setup a relay server that forwards the email to my main server on the LAN?  Would this be just a email box on a server that just forwards every email to another email server?

My mail server already has a public ip address so I can just put that on the Mail DMZ.

Author Comment

ID: 13958515
Has a PIX firewall ever been hacked or compromised?  Which one does an large or medium enterprise uses more often, Checkpoint or a PIX?
LVL 13

Expert Comment

ID: 13959395
What I am talking about in the way of a relay server, is a basic email server that forwards incoming email to the main mail server on the LAN, and relays outgoing email from it to the Internet. That way the internal email sever doesn’t have to communicate directly to any un-trusted hosts ever as the relay server is the one that take that exposure, and since there, at least there shouldn’t be, isn’t anything valuable or sensitive kept on it, if it does become compromised it’s more of a haste than a disaster.

As for how to set one up, I generally don’t get involved with that end of things, but must of them I have dealt with were Linux servers running send mail, or something similar. I am sure if you search the web you can probably find instructions for setting it up, or you can try looking here, or ask a question.


As for being hacked, I don’t think there is a firewall that hasn’t been hacked in some way or another, especially those that are as flexible as the top firewalls are. The fact is not matter how intrinsically secure a firewall is, if someone sets it up wrong, or does something stupid its not going to be able to provide the security it should.

Also these days with all the Trojans running around designed to open holes in firewalls from the inside are probably the second greatest hacking security risks these days, and can only be fully addressed with aggressive antivirus policies, and making sure all your computers not only have antivirus programs installed on them, but are all updated on at least a daily bases. I can’t stress how important this is from a security stand this is, as some of these Trojans are getting extremely adept at allowing remote access to hosts behind firewalls.      

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question