Solved

DMZ

Posted on 2009-05-19
7
443 Views
Last Modified: 2012-05-07
<---------Firewall facing internet--->switch------>anotherfirewall
                            [firewall 1]                                   [ firewall2   ]                          
                                                             |                                |
                                                             |                                |
                                                             |                                |
                                                    Another firewall               |
                                                             |       [firewall3]        |                 |
                                                                                              |
                                                  Two switches   --------------                                                          
                                                             |
                                                     Few servers


What is the DMZ zone in this scenario?

I learnt that DMZ is the region between two firewalls.

There are three firewalls in this scenario ?how to determine the dmz zone?
0
Comment
Question by:phoenix26
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
7 Comments
 
LVL 1

Accepted Solution

by:
ryecatcher earned 168 total points
ID: 24419563
Hi phoenix26,

I would define a DMZ as a place where you put servers that you want to give the public access to (usually over the Internet). Eg your public webserver, public DNS server, FTP server or SMTP server.  It may be placed between 2 firewalls, or it may not.
In other words, it is the purpose of a zone that makes it a DMZ and not its relative placement.

The purpose of a DMZ is to define an area where you place your publicly accessible servers and collectively manage these servers that are open to a higher risk of attack. And because they are placed together in the DMZ, it would be easier to administrate and handle the risk that they are exposed to.
0
 
LVL 1

Expert Comment

by:ryecatcher
ID: 24419568
Hi phoenix26,

To add on to my previous comment. In your case, the DMZ would be where your publicly accessible servers are located. If the servers are placed between firewall 1 & 2, then that would be your DMZ.
0
 
LVL 32

Expert Comment

by:aleghart
ID: 24425307
Logically, your DMZ will hang off FW1.  The DMZ is behind the firewall protectin, but the machines all maintain WAN IP addresses.

The DMZ is designed so that custom rules will both protect the DMZ from the WAN, and allow access by the LAN without needing a separate firewall to contain public servers.

It's not a change in mindset, it's a reduction in equipment.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 19

Expert Comment

by:CoccoBill
ID: 24431072
> The DMZ is designed so that custom rules will both protect the DMZ from the WAN, and allow access by the LAN without needing a separate firewall to contain public servers.

I'm not sure I follow, and if I do I disagree. A properly implemented DMZ filters traffic from WAN to DMZ, from DMZ to LAN, from LAN to DMZ and from DMZ to WAN. Direct connections from the WAN to the LAN or LAN to WAN are not allowed. Whether this functionality is accomplished with 1, 2 or more physical firewall devices is irrelevant.

http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)
0
 
LVL 32

Assisted Solution

by:aleghart
aleghart earned 166 total points
ID: 24434049
> Direct connections from the WAN to the LAN or LAN to WAN are not allowed.

This is not a function of the DMZ.  It is a function of the firewall/router.

The DMZ is simply a different zone with it's own custom rules to route and filter traffic from both the WAN and the LAN.

LAN workstations can still reach the WAN without passing through the DMZ.  That is a fallacy borrowed from the use of the term DMZ.  A traditional De-Militarized Zone does, in fact, lie between two armed enemies.

Your WAN router can allow traffic requests from LAN>WAN, than allow that return traffic from WAN>LAN on to the specific workstation and application requesting the traffic.

Also, your WAN router can be configured to NAT WAN requests directly to a LAN server or workstation.

All while there is still a DMZ.  The existence of a DMZ does not magically override and other routing functions.  It just make life a little easier by creating an extra zone.  Rules (especially in a object-based configuration) are a little easier to understand.

If you disagree with that, you've never created or managed a DMZ on a WAN router.  Basic stuff, even for me.  I'm no expert by any stretch of the imagination.  (I love my GUIs.)
0
 
LVL 19

Assisted Solution

by:CoccoBill
CoccoBill earned 166 total points
ID: 24434798
> That is a fallacy borrowed from the use of the term DMZ.  A traditional De-Militarized Zone does, in fact, lie between two armed enemies.

Yes, between your "army" aka your internal network and the "enemy", the internet.

> If you disagree with that, you've never created or managed a DMZ on a WAN router.

I don't, I disagree with a DMZ's purpose being to reduce equipment, I think its purpose is to improve security. I was talking about a properly configured DMZ since this is the security zone. Yes, you're right, LAN to WAN access is typically allowed, but only for workstations, not servers, and it's never routed through the DMZ. DMZs are usually used to protect the server segments, not the workstation segments.

0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses
Course of the Month11 days, 3 hours left to enroll

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question