Solved

Do I need a DMZ?

Posted on 2006-10-25
5
308 Views
Last Modified: 2010-04-09
Hello Experts.

I understand what a DMZ is but could someone explain to me why I need one if I use a third party to host my company web site?  I do have an Exchange server.  My current network setup is this:

Internet
   |
   |
Router
   |
   |
Firewall/Pix
   |
   |
Internal Network

It was suggested to me at a recently performed security audit that I should have a DMZ in place.  I'm not sure why I need one?  Can anyone answer that question for me?  If I do decide to set up a DMZ, would I place another firewall between the router and current firewall or between the firewall and network.

Thanks.

Matt
0
Comment
Question by:braman1
5 Comments
 
LVL 4

Expert Comment

by:LBACIS
ID: 17806993
DMZ'S Are designed to isolate the traffic from a trusted network use of the interfaces on the pix and change your rules accordingly. This way (Green) traffic that has not been scanned yet by your AV systems is not riding in your network. if you need me do elaborate more let me know.
0
 
LVL 20

Assisted Solution

by:calvinetter
calvinetter earned 250 total points
ID: 17808791
As LBACIS alluded to, DMZs are basically meant as a zone that's not completely trusted, where you'd normally place any of your public servers: web, email, FTP, etc.  The decision to have one is entirely up to you.  If you have any other public servers besides the Exchange box, it's good practice to place them in a DMZ where you'd tightly control not only what gets into the DMZ, but what *gets out* of the DMZ, in case your public servers are compromised - which is always a risk with any public server.

   Exchange is a bit of an oddball regarding DMZs, since a single Exchange server needs to have knowledge of & access to your AD (Active Directory).  Your options for Exchange would be: 1) leave it on the inside & hope for the best, or 2) setup a "mail gateway" server in a DMZ, which forwards traffic to a 2nd internal Exchange server; the DMZ server wouldn't have access to your internal AD structure, nor would it need to, only the internal one.

   MS article on SMTP relay in a DMZ:  http://tinyurl.com/y6989v

cheers
0
 
LVL 9

Expert Comment

by:IPKON_Networks
ID: 17810590
A useful feature of a DMZ, aside from the public facing aspects, is you can use it for the following reasons, thus protecting you inner network.

1. Internet download area
2. Antivirus scanning
3. Content filtering for web browsing
4. VPN connection / authentication point
5. Spam filtering
6. URL/IP redirection

DMZ's can also be untrusted, as well as trusted networked. ie, any traffic that comes in from the outside world, MUST go through the untrusted DMZ. However, if it comes from known IP ranges/ports (such as VPN offices, customers etc) then it can be directed to the trusted DMZ. Still needs to be kept seperate from your internal network, but is more trusted and known than the hackers and spammers of the world. Again, useful if you wish to protect your trusted DMZ equipment (such as Citrix servers etc) but still need to be outside your internal network.

I'm sure you've read all this but worth spelling out sometimes

Hope this helps
Barny
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 17811265
>could someone explain to me why I need one if I use a third party to host my company web site?
You don't. Plain and simple.
The only thing that it could buy you is if you have a front-end email filtering/relay appliance that you would want to isolate from the inside LAN. If you don't have one, then merely having a DMZ just to satisfy auditors is ludicrous.
0
 

Author Comment

by:braman1
ID: 17811808
I liked both calvinetter and lrmoore's response so I split the points.  As for lrmoore's response that it would be  ludicrous to set up a DMZ to satisfy auditors, I understand and agree, but I am not the owner of the company and if the owner's wish to throw money away...who am I to stop them.  BTW...it gives me a change to gain more experience and learn something new.  Always a nice plus to learn something new.  :)

Thanks for the responses.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now