Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

DMZ

Posted on 2009-05-19
7
Medium Priority
?
452 Views
Last Modified: 2012-05-07
<---------Firewall facing internet--->switch------>anotherfirewall
                            [firewall 1]                                   [ firewall2   ]                          
                                                             |                                |
                                                             |                                |
                                                             |                                |
                                                    Another firewall               |
                                                             |       [firewall3]        |                 |
                                                                                              |
                                                  Two switches   --------------                                                          
                                                             |
                                                     Few servers


What is the DMZ zone in this scenario?

I learnt that DMZ is the region between two firewalls.

There are three firewalls in this scenario ?how to determine the dmz zone?
0
Comment
Question by:phoenix26
  • 2
  • 2
  • 2
6 Comments
 
LVL 1

Accepted Solution

by:
ryecatcher earned 672 total points
ID: 24419563
Hi phoenix26,

I would define a DMZ as a place where you put servers that you want to give the public access to (usually over the Internet). Eg your public webserver, public DNS server, FTP server or SMTP server.  It may be placed between 2 firewalls, or it may not.
In other words, it is the purpose of a zone that makes it a DMZ and not its relative placement.

The purpose of a DMZ is to define an area where you place your publicly accessible servers and collectively manage these servers that are open to a higher risk of attack. And because they are placed together in the DMZ, it would be easier to administrate and handle the risk that they are exposed to.
0
 
LVL 1

Expert Comment

by:ryecatcher
ID: 24419568
Hi phoenix26,

To add on to my previous comment. In your case, the DMZ would be where your publicly accessible servers are located. If the servers are placed between firewall 1 & 2, then that would be your DMZ.
0
 
LVL 32

Expert Comment

by:aleghart
ID: 24425307
Logically, your DMZ will hang off FW1.  The DMZ is behind the firewall protectin, but the machines all maintain WAN IP addresses.

The DMZ is designed so that custom rules will both protect the DMZ from the WAN, and allow access by the LAN without needing a separate firewall to contain public servers.

It's not a change in mindset, it's a reduction in equipment.
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
LVL 19

Expert Comment

by:CoccoBill
ID: 24431072
> The DMZ is designed so that custom rules will both protect the DMZ from the WAN, and allow access by the LAN without needing a separate firewall to contain public servers.

I'm not sure I follow, and if I do I disagree. A properly implemented DMZ filters traffic from WAN to DMZ, from DMZ to LAN, from LAN to DMZ and from DMZ to WAN. Direct connections from the WAN to the LAN or LAN to WAN are not allowed. Whether this functionality is accomplished with 1, 2 or more physical firewall devices is irrelevant.

http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)
0
 
LVL 32

Assisted Solution

by:aleghart
aleghart earned 664 total points
ID: 24434049
> Direct connections from the WAN to the LAN or LAN to WAN are not allowed.

This is not a function of the DMZ.  It is a function of the firewall/router.

The DMZ is simply a different zone with it's own custom rules to route and filter traffic from both the WAN and the LAN.

LAN workstations can still reach the WAN without passing through the DMZ.  That is a fallacy borrowed from the use of the term DMZ.  A traditional De-Militarized Zone does, in fact, lie between two armed enemies.

Your WAN router can allow traffic requests from LAN>WAN, than allow that return traffic from WAN>LAN on to the specific workstation and application requesting the traffic.

Also, your WAN router can be configured to NAT WAN requests directly to a LAN server or workstation.

All while there is still a DMZ.  The existence of a DMZ does not magically override and other routing functions.  It just make life a little easier by creating an extra zone.  Rules (especially in a object-based configuration) are a little easier to understand.

If you disagree with that, you've never created or managed a DMZ on a WAN router.  Basic stuff, even for me.  I'm no expert by any stretch of the imagination.  (I love my GUIs.)
0
 
LVL 19

Assisted Solution

by:CoccoBill
CoccoBill earned 664 total points
ID: 24434798
> That is a fallacy borrowed from the use of the term DMZ.  A traditional De-Militarized Zone does, in fact, lie between two armed enemies.

Yes, between your "army" aka your internal network and the "enemy", the internet.

> If you disagree with that, you've never created or managed a DMZ on a WAN router.

I don't, I disagree with a DMZ's purpose being to reduce equipment, I think its purpose is to improve security. I was talking about a properly configured DMZ since this is the security zone. Yes, you're right, LAN to WAN access is typically allowed, but only for workstations, not servers, and it's never routed through the DMZ. DMZs are usually used to protect the server segments, not the workstation segments.

0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
Experts Exchange expands question security options for members.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question