A potentially, probably is dumb question about DMZ

[MulLa]

Hi all

I was just doing a bit of thinking but can't quite figure out the reason behind a DMZ.

Say for a web / ftp server won't it be safer / better just keeping it on a totally seperate network from your private internal network? Why do we need a DMZ in these cases? Well maybe for a mail server it would be appropriate since internal network need to access their e-mail.

Thanks and sorry for being ignorant 😱

 

[Maximus1]

A DMZ should be a separate network to ensure that no traffic from the outside world gets to your internal network. When you protect a network with a PIX firewall for example, one of your ports is designated as a DMZ on a separate network from what you are using internally. You then set up access lists to allow people on your internal network to access resources like the mail server you mentioned, but prevent traffic from coming into your internal network via the DMZ. Even with a web server or ftp server you may have internal network users that need access to these and you can set different access than the access you are allowing external people coming in through the DMZ. Hope that helps...

 

[Garion]

A DMZ is a place to place a device you need to access, but just don't quiiiiite trust totally. A good example of this is a mail relay. Your network relies on this box to send/receive e-mail but it's connected to the Internet and could easily be compromised.

- G

 

[MulLa]

Hi

Thanks everyone for your input beginning to understand the reason / logic behind having a DMZ now.

So say if I've got a web server that no one in the internal network needs to access. The admin is the only one that needs to touch it and has physical access would it be better for that server to be on a physically different network instead of messing around with setting up a DMZ?

 

[Garion]

Exactly. But is that reality? Would a company ever have a webserver that nobody in that company would need to get to? Probably won't happen. Even then, you want to make sure that webserver is protected by a firewall to ensure that it's not vulnerable to attacks, defacing, etc.

- G

 

[MulLa]

Thanks Garion for the info.

 

[Need4Speed]

of course, the problem is that most SOHO routers use DMZ 'incorrectly'. In that the DMZ:
1. can have only 1 pc
2. is on the same network as all other machines.

Basically DMZ on SOHO is the pc that will have all ports directed to it.

Now on the other hand, Smoothwall and Astro have real DMZs, where you can have multiple machines (web, ftp, mail, etc) on a separate network. This config requires 3 nics though.

The Green Nic: safe and trusted zone, ie your LAN
The Orange Nic: your LAN, but not trusted and open to the Red Zone (mail, ftp, www servers)
The Red Nic: Internet, not trusted.

The Orange Nic would be the DMZ.

 

[Santa]

The only real way to do what you are contemplating is to have two firewall boxes and one of the firewall boxes would be your untrusted segment and the other would just be protecting your trusted segment.

Why double the hardware when you can just run another interface on the one firewall and break out an untrusted network and that untrusted network would be called the DMZ.

That segment should be configured on the firewall to not have direct access to your local network and this in of itself means it is seperated and more secure.

A DMZ is not an end all be all but another means to allow a compromised machine to not have direct access to your local trusted network. Anything the hacker wants to do has to pass through the firewall once again to get to the trusted network and if you configure the firewall correctly then it will be much harder for a machine in the DMZ to do any serious damage to the internal trusted network.