DMZ

<---------Firewall facing internet--->switch------>anotherfirewall
                            [firewall 1]                                   [ firewall2   ]                          
                                                             |                                |
                                                             |                                |
                                                             |                                |
                                                    Another firewall               |
                                                             |       [firewall3]        |                 |
                                                                                              |
                                                  Two switches   --------------                                                          
                                                             |
                                                     Few servers


What is the DMZ zone in this scenario?

I learnt that DMZ is the region between two firewalls.

There are three firewalls in this scenario ?how to determine the dmz zone?
phoenix26Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
ryecatcherConnect With a Mentor Commented:
Hi phoenix26,

I would define a DMZ as a place where you put servers that you want to give the public access to (usually over the Internet). Eg your public webserver, public DNS server, FTP server or SMTP server.  It may be placed between 2 firewalls, or it may not.
In other words, it is the purpose of a zone that makes it a DMZ and not its relative placement.

The purpose of a DMZ is to define an area where you place your publicly accessible servers and collectively manage these servers that are open to a higher risk of attack. And because they are placed together in the DMZ, it would be easier to administrate and handle the risk that they are exposed to.
0
 
ryecatcherCommented:
Hi phoenix26,

To add on to my previous comment. In your case, the DMZ would be where your publicly accessible servers are located. If the servers are placed between firewall 1 & 2, then that would be your DMZ.
0
 
aleghartCommented:
Logically, your DMZ will hang off FW1.  The DMZ is behind the firewall protectin, but the machines all maintain WAN IP addresses.

The DMZ is designed so that custom rules will both protect the DMZ from the WAN, and allow access by the LAN without needing a separate firewall to contain public servers.

It's not a change in mindset, it's a reduction in equipment.
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

 
CoccoBillCommented:
> The DMZ is designed so that custom rules will both protect the DMZ from the WAN, and allow access by the LAN without needing a separate firewall to contain public servers.

I'm not sure I follow, and if I do I disagree. A properly implemented DMZ filters traffic from WAN to DMZ, from DMZ to LAN, from LAN to DMZ and from DMZ to WAN. Direct connections from the WAN to the LAN or LAN to WAN are not allowed. Whether this functionality is accomplished with 1, 2 or more physical firewall devices is irrelevant.

http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)
0
 
aleghartConnect With a Mentor Commented:
> Direct connections from the WAN to the LAN or LAN to WAN are not allowed.

This is not a function of the DMZ.  It is a function of the firewall/router.

The DMZ is simply a different zone with it's own custom rules to route and filter traffic from both the WAN and the LAN.

LAN workstations can still reach the WAN without passing through the DMZ.  That is a fallacy borrowed from the use of the term DMZ.  A traditional De-Militarized Zone does, in fact, lie between two armed enemies.

Your WAN router can allow traffic requests from LAN>WAN, than allow that return traffic from WAN>LAN on to the specific workstation and application requesting the traffic.

Also, your WAN router can be configured to NAT WAN requests directly to a LAN server or workstation.

All while there is still a DMZ.  The existence of a DMZ does not magically override and other routing functions.  It just make life a little easier by creating an extra zone.  Rules (especially in a object-based configuration) are a little easier to understand.

If you disagree with that, you've never created or managed a DMZ on a WAN router.  Basic stuff, even for me.  I'm no expert by any stretch of the imagination.  (I love my GUIs.)
0
 
CoccoBillConnect With a Mentor Commented:
> That is a fallacy borrowed from the use of the term DMZ.  A traditional De-Militarized Zone does, in fact, lie between two armed enemies.

Yes, between your "army" aka your internal network and the "enemy", the internet.

> If you disagree with that, you've never created or managed a DMZ on a WAN router.

I don't, I disagree with a DMZ's purpose being to reduce equipment, I think its purpose is to improve security. I was talking about a properly configured DMZ since this is the security zone. Yes, you're right, LAN to WAN access is typically allowed, but only for workstations, not servers, and it's never routed through the DMZ. DMZs are usually used to protect the server segments, not the workstation segments.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.