Link to home
Start Free TrialLog in
Avatar of cfgtechs
cfgtechsFlag for Guam

asked on

validate this article please on DMZ setups

http://www.skullbox.net/configureDMZnetwork.php

i have the first example configuration the author writes about, can someone point to a reference where i can see this configuration being drawn out. i contacted the author but he said he built it this way according to his own work experience. many thanks
Avatar of harbor235
harbor235
Flag of United States of America image

I do not like that setup, it does not provide inspection capabilities for traffic destined to your DMZ hosts leaving DMZ hosts totally unprotected. But what is your question specifically about the design?

I prefer the following;


                                            ISP
                                              |                                / server1
                                     FIREWALL--------DMZSWITCH
                                             |                                  \server2
                                             |
                                     InternalNetwork



harbor235 ;}
The second option: Using a firewall DMZ Is the best option. Especially if you are going to use a Juniper SSG device. The cons do not really hold up since You can configure 2 SSG140 in High Availability mode and by using a loopback interface you can give a public IP directly to a server on the LAN. ( I use the loopback to give my sonicawall ssl VPN a public IP)

If you do not need your internal servers to have a public IP and can use a mapped public IP. I would go with option 2
Avatar of cfgtechs

ASKER

this is what i have going on, how does this look?-should i put in change orders to get
the vpns behind NSA3500?


                            ISP
                              |
              |--------DMZ SWITCH------------------------------------|
                   |                                                   |
                  3rd Party Cisco VPN (x2)                |
                                                                        |
                                                               NSA 3500
                                                                |         |
                                                                |        xwall port 25
                                                                |          |
                                                                |        Exchange 2003
                                                            internal network
I am not sure from your diagram, however, the main point behind the diagram I drew
is that there is a separate DMZ switch from the one that connects to your internal networks
as well as a security policy that enforces internet to DMZ and no internet to internal traffic flows. All services are in the DMZ, web, mail, etc ..... so internal host flows for enterprise services are directed to the DMZ and potentially internal to internet flows through a web proxy in the DMZ as well.


harbor235
harbor,

" But what is your question specifically about the design?"

i guess is it a valid dmz taking into account that i have 1 exchange server that is inside the firewall, -a front and rear exchange would be ideal, but dont have that.

and the only other devices that require a public ip are the 3rd party vpns. i guess i could
configure an interface on the nsa3500 and give it the assigned public ip accorded to each device, taking it to the inside of the firewall.
If you are talking about the original DMZ design via the url you provided and the first example, I would never deploy that design, my reason - there is nothing protecting the exchange server if only connected to a switch and not behind a FW to perform deep packet inspection, policy enforcement, and attack mitigation. The services deployed in this fashion would be unreliable from my perspective.

The design I provided can still use public addressing, key discernible differences are that my design allows the exchange server to be behind a FW and uses a separate DMZ switch.

Its all about enforcing a policy, however, you can do it anyway you like. However, I am not sure it meets network security best practices.

harbor235 ;}
Here is an alternate perspective from a reputable source,


http://etherealmind.com/design-enterprise-dmz-firewall-clusters/


harbor235 ;}
harbor,

with my configuration: my exchange is behind nsa3500, 2 vpns are straight to dmz switch to internet
               


                            ISP
                              |
              |--------DMZ SWITCH------------------------------------|
                   |                                                   |
                  3rd Party Cisco VPN (x2)                |
                                                                        |
                                                               NSA 3500
                                                                |         |
                                                                |        xwall port 25
                                                                |          |
                                                                |        Exchange 2003
                                                            internal network
ASKER CERTIFIED SOLUTION
Avatar of harbor235
harbor235
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial