Solved

DMZ

Posted on 2009-05-19
7
432 Views
Last Modified: 2012-05-07
<---------Firewall facing internet--->switch------>anotherfirewall
                            [firewall 1]                                   [ firewall2   ]                          
                                                             |                                |
                                                             |                                |
                                                             |                                |
                                                    Another firewall               |
                                                             |       [firewall3]        |                 |
                                                                                              |
                                                  Two switches   --------------                                                          
                                                             |
                                                     Few servers


What is the DMZ zone in this scenario?

I learnt that DMZ is the region between two firewalls.

There are three firewalls in this scenario ?how to determine the dmz zone?
0
Comment
Question by:phoenix26
  • 2
  • 2
  • 2
7 Comments
 
LVL 1

Accepted Solution

by:
ryecatcher earned 168 total points
ID: 24419563
Hi phoenix26,

I would define a DMZ as a place where you put servers that you want to give the public access to (usually over the Internet). Eg your public webserver, public DNS server, FTP server or SMTP server.  It may be placed between 2 firewalls, or it may not.
In other words, it is the purpose of a zone that makes it a DMZ and not its relative placement.

The purpose of a DMZ is to define an area where you place your publicly accessible servers and collectively manage these servers that are open to a higher risk of attack. And because they are placed together in the DMZ, it would be easier to administrate and handle the risk that they are exposed to.
0
 
LVL 1

Expert Comment

by:ryecatcher
ID: 24419568
Hi phoenix26,

To add on to my previous comment. In your case, the DMZ would be where your publicly accessible servers are located. If the servers are placed between firewall 1 & 2, then that would be your DMZ.
0
 
LVL 32

Expert Comment

by:aleghart
ID: 24425307
Logically, your DMZ will hang off FW1.  The DMZ is behind the firewall protectin, but the machines all maintain WAN IP addresses.

The DMZ is designed so that custom rules will both protect the DMZ from the WAN, and allow access by the LAN without needing a separate firewall to contain public servers.

It's not a change in mindset, it's a reduction in equipment.
0
Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

 
LVL 19

Expert Comment

by:CoccoBill
ID: 24431072
> The DMZ is designed so that custom rules will both protect the DMZ from the WAN, and allow access by the LAN without needing a separate firewall to contain public servers.

I'm not sure I follow, and if I do I disagree. A properly implemented DMZ filters traffic from WAN to DMZ, from DMZ to LAN, from LAN to DMZ and from DMZ to WAN. Direct connections from the WAN to the LAN or LAN to WAN are not allowed. Whether this functionality is accomplished with 1, 2 or more physical firewall devices is irrelevant.

http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)
0
 
LVL 32

Assisted Solution

by:aleghart
aleghart earned 166 total points
ID: 24434049
> Direct connections from the WAN to the LAN or LAN to WAN are not allowed.

This is not a function of the DMZ.  It is a function of the firewall/router.

The DMZ is simply a different zone with it's own custom rules to route and filter traffic from both the WAN and the LAN.

LAN workstations can still reach the WAN without passing through the DMZ.  That is a fallacy borrowed from the use of the term DMZ.  A traditional De-Militarized Zone does, in fact, lie between two armed enemies.

Your WAN router can allow traffic requests from LAN>WAN, than allow that return traffic from WAN>LAN on to the specific workstation and application requesting the traffic.

Also, your WAN router can be configured to NAT WAN requests directly to a LAN server or workstation.

All while there is still a DMZ.  The existence of a DMZ does not magically override and other routing functions.  It just make life a little easier by creating an extra zone.  Rules (especially in a object-based configuration) are a little easier to understand.

If you disagree with that, you've never created or managed a DMZ on a WAN router.  Basic stuff, even for me.  I'm no expert by any stretch of the imagination.  (I love my GUIs.)
0
 
LVL 19

Assisted Solution

by:CoccoBill
CoccoBill earned 166 total points
ID: 24434798
> That is a fallacy borrowed from the use of the term DMZ.  A traditional De-Militarized Zone does, in fact, lie between two armed enemies.

Yes, between your "army" aka your internal network and the "enemy", the internet.

> If you disagree with that, you've never created or managed a DMZ on a WAN router.

I don't, I disagree with a DMZ's purpose being to reduce equipment, I think its purpose is to improve security. I was talking about a properly configured DMZ since this is the security zone. Yes, you're right, LAN to WAN access is typically allowed, but only for workstations, not servers, and it's never routed through the DMZ. DMZs are usually used to protect the server segments, not the workstation segments.

0

Featured Post

Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now