Solved

DMZ

Posted on 2009-05-19
7
437 Views
Last Modified: 2012-05-07
<---------Firewall facing internet--->switch------>anotherfirewall
                            [firewall 1]                                   [ firewall2   ]                          
                                                             |                                |
                                                             |                                |
                                                             |                                |
                                                    Another firewall               |
                                                             |       [firewall3]        |                 |
                                                                                              |
                                                  Two switches   --------------                                                          
                                                             |
                                                     Few servers


What is the DMZ zone in this scenario?

I learnt that DMZ is the region between two firewalls.

There are three firewalls in this scenario ?how to determine the dmz zone?
0
Comment
Question by:phoenix26
  • 2
  • 2
  • 2
7 Comments
 
LVL 1

Accepted Solution

by:
ryecatcher earned 168 total points
ID: 24419563
Hi phoenix26,

I would define a DMZ as a place where you put servers that you want to give the public access to (usually over the Internet). Eg your public webserver, public DNS server, FTP server or SMTP server.  It may be placed between 2 firewalls, or it may not.
In other words, it is the purpose of a zone that makes it a DMZ and not its relative placement.

The purpose of a DMZ is to define an area where you place your publicly accessible servers and collectively manage these servers that are open to a higher risk of attack. And because they are placed together in the DMZ, it would be easier to administrate and handle the risk that they are exposed to.
0
 
LVL 1

Expert Comment

by:ryecatcher
ID: 24419568
Hi phoenix26,

To add on to my previous comment. In your case, the DMZ would be where your publicly accessible servers are located. If the servers are placed between firewall 1 & 2, then that would be your DMZ.
0
 
LVL 32

Expert Comment

by:aleghart
ID: 24425307
Logically, your DMZ will hang off FW1.  The DMZ is behind the firewall protectin, but the machines all maintain WAN IP addresses.

The DMZ is designed so that custom rules will both protect the DMZ from the WAN, and allow access by the LAN without needing a separate firewall to contain public servers.

It's not a change in mindset, it's a reduction in equipment.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 19

Expert Comment

by:CoccoBill
ID: 24431072
> The DMZ is designed so that custom rules will both protect the DMZ from the WAN, and allow access by the LAN without needing a separate firewall to contain public servers.

I'm not sure I follow, and if I do I disagree. A properly implemented DMZ filters traffic from WAN to DMZ, from DMZ to LAN, from LAN to DMZ and from DMZ to WAN. Direct connections from the WAN to the LAN or LAN to WAN are not allowed. Whether this functionality is accomplished with 1, 2 or more physical firewall devices is irrelevant.

http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)
0
 
LVL 32

Assisted Solution

by:aleghart
aleghart earned 166 total points
ID: 24434049
> Direct connections from the WAN to the LAN or LAN to WAN are not allowed.

This is not a function of the DMZ.  It is a function of the firewall/router.

The DMZ is simply a different zone with it's own custom rules to route and filter traffic from both the WAN and the LAN.

LAN workstations can still reach the WAN without passing through the DMZ.  That is a fallacy borrowed from the use of the term DMZ.  A traditional De-Militarized Zone does, in fact, lie between two armed enemies.

Your WAN router can allow traffic requests from LAN>WAN, than allow that return traffic from WAN>LAN on to the specific workstation and application requesting the traffic.

Also, your WAN router can be configured to NAT WAN requests directly to a LAN server or workstation.

All while there is still a DMZ.  The existence of a DMZ does not magically override and other routing functions.  It just make life a little easier by creating an extra zone.  Rules (especially in a object-based configuration) are a little easier to understand.

If you disagree with that, you've never created or managed a DMZ on a WAN router.  Basic stuff, even for me.  I'm no expert by any stretch of the imagination.  (I love my GUIs.)
0
 
LVL 19

Assisted Solution

by:CoccoBill
CoccoBill earned 166 total points
ID: 24434798
> That is a fallacy borrowed from the use of the term DMZ.  A traditional De-Militarized Zone does, in fact, lie between two armed enemies.

Yes, between your "army" aka your internal network and the "enemy", the internet.

> If you disagree with that, you've never created or managed a DMZ on a WAN router.

I don't, I disagree with a DMZ's purpose being to reduce equipment, I think its purpose is to improve security. I was talking about a properly configured DMZ since this is the security zone. Yes, you're right, LAN to WAN access is typically allowed, but only for workstations, not servers, and it's never routed through the DMZ. DMZs are usually used to protect the server segments, not the workstation segments.

0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Pop culture is prime bait for hackers seeking to infect user’s computers and mobile devices with malicious malware. Hackers know exactly what the latest trends are online and know how to use them to their advantage.
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question