Avatar of cfgtechs
cfgtechs
Flag for Guam asked on

validate this article please on DMZ setups

http://www.skullbox.net/configureDMZnetwork.php

i have the first example configuration the author writes about, can someone point to a reference where i can see this configuration being drawn out. i contacted the author but he said he built it this way according to his own work experience. many thanks
Hardware FirewallsSwitches / HubsSecurity

Avatar of undefined
Last Comment
harbor235

8/22/2022 - Mon
harbor235

I do not like that setup, it does not provide inspection capabilities for traffic destined to your DMZ hosts leaving DMZ hosts totally unprotected. But what is your question specifically about the design?

I prefer the following;


                                            ISP
                                              |                                / server1
                                     FIREWALL--------DMZSWITCH
                                             |                                  \server2
                                             |
                                     InternalNetwork



harbor235 ;}
Sanga Collins

The second option: Using a firewall DMZ Is the best option. Especially if you are going to use a Juniper SSG device. The cons do not really hold up since You can configure 2 SSG140 in High Availability mode and by using a loopback interface you can give a public IP directly to a server on the LAN. ( I use the loopback to give my sonicawall ssl VPN a public IP)

If you do not need your internal servers to have a public IP and can use a mapped public IP. I would go with option 2
cfgtechs

ASKER
this is what i have going on, how does this look?-should i put in change orders to get
the vpns behind NSA3500?


                            ISP
                              |
              |--------DMZ SWITCH------------------------------------|
                   |                                                   |
                  3rd Party Cisco VPN (x2)                |
                                                                        |
                                                               NSA 3500
                                                                |         |
                                                                |        xwall port 25
                                                                |          |
                                                                |        Exchange 2003
                                                            internal network
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
harbor235

I am not sure from your diagram, however, the main point behind the diagram I drew
is that there is a separate DMZ switch from the one that connects to your internal networks
as well as a security policy that enforces internet to DMZ and no internet to internal traffic flows. All services are in the DMZ, web, mail, etc ..... so internal host flows for enterprise services are directed to the DMZ and potentially internal to internet flows through a web proxy in the DMZ as well.


harbor235
cfgtechs

ASKER
harbor,

" But what is your question specifically about the design?"

i guess is it a valid dmz taking into account that i have 1 exchange server that is inside the firewall, -a front and rear exchange would be ideal, but dont have that.

and the only other devices that require a public ip are the 3rd party vpns. i guess i could
configure an interface on the nsa3500 and give it the assigned public ip accorded to each device, taking it to the inside of the firewall.
harbor235

If you are talking about the original DMZ design via the url you provided and the first example, I would never deploy that design, my reason - there is nothing protecting the exchange server if only connected to a switch and not behind a FW to perform deep packet inspection, policy enforcement, and attack mitigation. The services deployed in this fashion would be unreliable from my perspective.

The design I provided can still use public addressing, key discernible differences are that my design allows the exchange server to be behind a FW and uses a separate DMZ switch.

Its all about enforcing a policy, however, you can do it anyway you like. However, I am not sure it meets network security best practices.

harbor235 ;}
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
harbor235

Here is an alternate perspective from a reputable source,


http://etherealmind.com/design-enterprise-dmz-firewall-clusters/


harbor235 ;}
cfgtechs

ASKER
harbor,

with my configuration: my exchange is behind nsa3500, 2 vpns are straight to dmz switch to internet
               


                            ISP
                              |
              |--------DMZ SWITCH------------------------------------|
                   |                                                   |
                  3rd Party Cisco VPN (x2)                |
                                                                        |
                                                               NSA 3500
                                                                |         |
                                                                |        xwall port 25
                                                                |          |
                                                                |        Exchange 2003
                                                            internal network
ASKER CERTIFIED SOLUTION
harbor235

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question