Pros/Cons of DMZ subnet

Posted on 2005-05-06
Last Modified: 2012-06-21
I got a PIX 515e-Restricted-DMZ firewall which has 3 interfaces which I believe is a in, out, and DMZ.  I know I need to configure the "out" with a public address and the "in" with a private network address.  I got a bunch of servers and a mail server that needs to be seem on the outside.  Is it require that I use a DMZ to make this work?  And what are the Pro's/Con's of a DMZ?
Question by:Pentrix2
    LVL 19

    Accepted Solution


    The inside, outside and DMZ interfaces on your PIX 515e have assigned security levels - e.g. Inside 100, DMZ 50, Ouside 0.
    Traffic will not pass from a lower security interface to a higher one unless you explicitly say so, i.e. traffic will not go from outside>DMZ, from DMZ>inside or Outside>inside.

    The DMZ is the ideal solution for what you are looking to achieve.  You are placing servers in a location where you can control outside access to them and also control their access to the inside (your internal LAN).  A common deployment would be putting outside-facing webservers in the DMZ : You can allow www browsing ONLY to them from the outside and can update them from the inside - while the machine is residing in the "safe area" of the DMZ.

    You may have been assigned a range of public ip addresses from your ISP.  e.g.

    To configure ip addresses of interfaces:

    conf t
    ip address outside
    ip address inside
    ip address DMZ

    (Addresses and masks will be in line with your ISP and your local and DMZ networks)

    You then need to create static translations from the DMZ to outside and create access-lists to define what outside access should be:

    E.g. to setup a webserver in the DMZ:
    conf t
    static (dmz,outside) netmask 0 0
    (where is the ip address of the webserver in the DMZ)
    access-list outside_int permit tcp any host eq www
    access-group outside_int in interface outside

    Have a look at the link below for full details of setting up a mailserver in the DMZ.  The method is the same

    Hope this helps
    LVL 13

    Assisted Solution

    The only cons of a DMZ are you need an additional interface on the firewall, and additional public addresses for the DMZ zone.

    The best way to look at a DMZ zone is to picture it as a place between your LAN, and the internet. It’s a good place to place your web servers, or email server (ideally just a mail relay server that forwards the email to your main mail server on the LAN), so that if one of them become compromised they don’t have direct and full access to the LAN like a host that is NATed on the LAN, and has ports forwarded to it from public addresses accessible from the internet. At the same time the hosts in the DMZ can be protected from people trying to for example telnet to them, or attach to their NetBIOS ports if they are for example a Windows machine, yet the computers on the LAN can have full access to these hosts if desired so you can manage them.

    In my opinion there is no substitute for a DMZ zone although a lot of companies don’t have them, the thing is if one the those hosts they have NATed on the LAN ever becomes compromised, it’s all over, as there will be nothing to protect the computers on the LAN from that compromised machine.          
    LVL 9

    Author Comment

    We are running a Domino server.  How would I setup a relay server that forwards the email to my main server on the LAN?  Would this be just a email box on a server that just forwards every email to another email server?

    My mail server already has a public ip address so I can just put that on the Mail DMZ.
    LVL 9

    Author Comment

    Has a PIX firewall ever been hacked or compromised?  Which one does an large or medium enterprise uses more often, Checkpoint or a PIX?
    LVL 13

    Expert Comment

    What I am talking about in the way of a relay server, is a basic email server that forwards incoming email to the main mail server on the LAN, and relays outgoing email from it to the Internet. That way the internal email sever doesn’t have to communicate directly to any un-trusted hosts ever as the relay server is the one that take that exposure, and since there, at least there shouldn’t be, isn’t anything valuable or sensitive kept on it, if it does become compromised it’s more of a haste than a disaster.

    As for how to set one up, I generally don’t get involved with that end of things, but must of them I have dealt with were Linux servers running send mail, or something similar. I am sure if you search the web you can probably find instructions for setting it up, or you can try looking here, or ask a question.  

    As for being hacked, I don’t think there is a firewall that hasn’t been hacked in some way or another, especially those that are as flexible as the top firewalls are. The fact is not matter how intrinsically secure a firewall is, if someone sets it up wrong, or does something stupid its not going to be able to provide the security it should.

    Also these days with all the Trojans running around designed to open holes in firewalls from the inside are probably the second greatest hacking security risks these days, and can only be fully addressed with aggressive antivirus policies, and making sure all your computers not only have antivirus programs installed on them, but are all updated on at least a daily bases. I can’t stress how important this is from a security stand this is, as some of these Trojans are getting extremely adept at allowing remote access to hosts behind firewalls.      

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
    There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now