Do I need a DMZ?

Hello Experts.

I understand what a DMZ is but could someone explain to me why I need one if I use a third party to host my company web site?  I do have an Exchange server.  My current network setup is this:

Internet
   |
   |
Router
   |
   |
Firewall/Pix
   |
   |
Internal Network

It was suggested to me at a recently performed security audit that I should have a DMZ in place.  I'm not sure why I need one?  Can anyone answer that question for me?  If I do decide to set up a DMZ, would I place another firewall between the router and current firewall or between the firewall and network.

Thanks.

Matt
braman1Asked:
Who is Participating?
 
lrmooreCommented:
>could someone explain to me why I need one if I use a third party to host my company web site?
You don't. Plain and simple.
The only thing that it could buy you is if you have a front-end email filtering/relay appliance that you would want to isolate from the inside LAN. If you don't have one, then merely having a DMZ just to satisfy auditors is ludicrous.
0
 
LBACISCommented:
DMZ'S Are designed to isolate the traffic from a trusted network use of the interfaces on the pix and change your rules accordingly. This way (Green) traffic that has not been scanned yet by your AV systems is not riding in your network. if you need me do elaborate more let me know.
0
 
calvinetterCommented:
As LBACIS alluded to, DMZs are basically meant as a zone that's not completely trusted, where you'd normally place any of your public servers: web, email, FTP, etc.  The decision to have one is entirely up to you.  If you have any other public servers besides the Exchange box, it's good practice to place them in a DMZ where you'd tightly control not only what gets into the DMZ, but what *gets out* of the DMZ, in case your public servers are compromised - which is always a risk with any public server.

   Exchange is a bit of an oddball regarding DMZs, since a single Exchange server needs to have knowledge of & access to your AD (Active Directory).  Your options for Exchange would be: 1) leave it on the inside & hope for the best, or 2) setup a "mail gateway" server in a DMZ, which forwards traffic to a 2nd internal Exchange server; the DMZ server wouldn't have access to your internal AD structure, nor would it need to, only the internal one.

   MS article on SMTP relay in a DMZ:  http://tinyurl.com/y6989v

cheers
0
 
IPKON_NetworksCommented:
A useful feature of a DMZ, aside from the public facing aspects, is you can use it for the following reasons, thus protecting you inner network.

1. Internet download area
2. Antivirus scanning
3. Content filtering for web browsing
4. VPN connection / authentication point
5. Spam filtering
6. URL/IP redirection

DMZ's can also be untrusted, as well as trusted networked. ie, any traffic that comes in from the outside world, MUST go through the untrusted DMZ. However, if it comes from known IP ranges/ports (such as VPN offices, customers etc) then it can be directed to the trusted DMZ. Still needs to be kept seperate from your internal network, but is more trusted and known than the hackers and spammers of the world. Again, useful if you wish to protect your trusted DMZ equipment (such as Citrix servers etc) but still need to be outside your internal network.

I'm sure you've read all this but worth spelling out sometimes

Hope this helps
Barny
0
 
braman1Author Commented:
I liked both calvinetter and lrmoore's response so I split the points.  As for lrmoore's response that it would be  ludicrous to set up a DMZ to satisfy auditors, I understand and agree, but I am not the owner of the company and if the owner's wish to throw money away...who am I to stop them.  BTW...it gives me a change to gain more experience and learn something new.  Always a nice plus to learn something new.  :)

Thanks for the responses.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.