Security Basics mailing list archives
Re: Basic Network Configuration
From: DRAx <dra.x () ifrance com>
Date: Wed, 15 Oct 2003 17:33:44 +0000
Hi, I'm in the middle of building one myself so I'll give you a few guidelines to follow. You have to build a DMZ on the principle that it is UN-trustworthy and CAN be compromised. There shouldn't be any user account on your DMZ. For email, I suggest some sort of tunnel through your firewall (IPSEC, stunnel,...) routed towards your Internal LAN. You shouldn't have your Web Intranet on the DMZ. I suggest using some reverse-proxy mechanism, and have it reside on the Internal LAN. I hope you get the general Idea. Yes anything that requires access from outside should be in the DMZ. BUT you should only put information there that you are prepared to lose. Only PUBLIC information. No accounts, no private data, etc. Hope this helped (I am myself doing this for the first time :) DRAxP.S: I'm sorry if I sent this message twice but I didn't get it back from the mailing list. Is this normal, or did I just do something wrong (and I havent sent this twice)?
Smith, KC wrote:
All, Okay I know this is truly a basic question, but this is after all the "security-BASICS" list! Most LAN configs I've seen include two, separate pieces of hardware to define the DMZ. A firewall on the outside and another firewall or policy switch on the inside is usually how I've seen that handled. My new company uses 3 separate NICs in the same firewall. One for inbound, one for the LAN and one for the DMZ. Each has it's own address block. It seems like using the firewall to do this makes sense, but I'd appreciate some external confirmation on that. The second issue is this: is there a rule of thumb to determine what should and should not go in the DMZ vs. the LAN? It seems to me that anything that requires access from outside the network (Ex. DNS servers, Mail servers, demo servers, etc.) should go in the DMZ. True? Thanks in advance. KC Smith
--------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015 ----------------------------------------------------------------------------
Current thread:
- RE: Basic Network Configuration, (continued)
- RE: Basic Network Configuration David Gillett (Oct 15)
- Re: Basic Network Configuration DRAx (Oct 16)
- RE: Basic Network Configuration David Gillett (Oct 16)
- Re: Basic Network Configuration DRAx (Oct 16)
- Re: Basic Network Configuration DRAx (Oct 16)
- Re: Basic Network Configuration Ansgar -59cobalt- Wiechers (Oct 16)
- RE: Basic Network Configuration David Gillett (Oct 16)
- Re: Basic Network Configuration 'Ansgar -59cobalt- Wiechers' (Oct 16)
- RE: Basic Network Configuration David Gillett (Oct 17)
- Re: Basic Network Configuration 'Ansgar -59cobalt- Wiechers' (Oct 17)
- Ports used by VTAM Naren - Pactech (Oct 17)
- RE: Basic Network Configuration David Gillett (Oct 15)
- RE: Basic Network Configuration David Fore (Oct 15)