Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Do I need a DMZ?

Posted on 2006-10-25
5
317 Views
Last Modified: 2010-04-09
Hello Experts.

I understand what a DMZ is but could someone explain to me why I need one if I use a third party to host my company web site?  I do have an Exchange server.  My current network setup is this:

Internet
   |
   |
Router
   |
   |
Firewall/Pix
   |
   |
Internal Network

It was suggested to me at a recently performed security audit that I should have a DMZ in place.  I'm not sure why I need one?  Can anyone answer that question for me?  If I do decide to set up a DMZ, would I place another firewall between the router and current firewall or between the firewall and network.

Thanks.

Matt
0
Comment
Question by:braman1
5 Comments
 
LVL 4

Expert Comment

by:LBACIS
ID: 17806993
DMZ'S Are designed to isolate the traffic from a trusted network use of the interfaces on the pix and change your rules accordingly. This way (Green) traffic that has not been scanned yet by your AV systems is not riding in your network. if you need me do elaborate more let me know.
0
 
LVL 20

Assisted Solution

by:calvinetter
calvinetter earned 250 total points
ID: 17808791
As LBACIS alluded to, DMZs are basically meant as a zone that's not completely trusted, where you'd normally place any of your public servers: web, email, FTP, etc.  The decision to have one is entirely up to you.  If you have any other public servers besides the Exchange box, it's good practice to place them in a DMZ where you'd tightly control not only what gets into the DMZ, but what *gets out* of the DMZ, in case your public servers are compromised - which is always a risk with any public server.

   Exchange is a bit of an oddball regarding DMZs, since a single Exchange server needs to have knowledge of & access to your AD (Active Directory).  Your options for Exchange would be: 1) leave it on the inside & hope for the best, or 2) setup a "mail gateway" server in a DMZ, which forwards traffic to a 2nd internal Exchange server; the DMZ server wouldn't have access to your internal AD structure, nor would it need to, only the internal one.

   MS article on SMTP relay in a DMZ:  http://tinyurl.com/y6989v

cheers
0
 
LVL 9

Expert Comment

by:IPKON_Networks
ID: 17810590
A useful feature of a DMZ, aside from the public facing aspects, is you can use it for the following reasons, thus protecting you inner network.

1. Internet download area
2. Antivirus scanning
3. Content filtering for web browsing
4. VPN connection / authentication point
5. Spam filtering
6. URL/IP redirection

DMZ's can also be untrusted, as well as trusted networked. ie, any traffic that comes in from the outside world, MUST go through the untrusted DMZ. However, if it comes from known IP ranges/ports (such as VPN offices, customers etc) then it can be directed to the trusted DMZ. Still needs to be kept seperate from your internal network, but is more trusted and known than the hackers and spammers of the world. Again, useful if you wish to protect your trusted DMZ equipment (such as Citrix servers etc) but still need to be outside your internal network.

I'm sure you've read all this but worth spelling out sometimes

Hope this helps
Barny
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 17811265
>could someone explain to me why I need one if I use a third party to host my company web site?
You don't. Plain and simple.
The only thing that it could buy you is if you have a front-end email filtering/relay appliance that you would want to isolate from the inside LAN. If you don't have one, then merely having a DMZ just to satisfy auditors is ludicrous.
0
 

Author Comment

by:braman1
ID: 17811808
I liked both calvinetter and lrmoore's response so I split the points.  As for lrmoore's response that it would be  ludicrous to set up a DMZ to satisfy auditors, I understand and agree, but I am not the owner of the company and if the owner's wish to throw money away...who am I to stop them.  BTW...it gives me a change to gain more experience and learn something new.  Always a nice plus to learn something new.  :)

Thanks for the responses.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
WEBSITE Capture via Linux Router 2 100
Windows Defender not able to really turn off 5 68
Best firewall recommendation 12 191
Bonjour traffic not going through sonicwall fw 6 117
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question