[Wolves] Same machine : 2 Nic's -- 1 DMZ 1 LAN
James Turner
james at turnersoft.co.uk
Sun Jan 9 13:30:38 GMT 2005
On Saturday 08 Jan 2005 11:01, Kevanf1 wrote:
> Well to show my ignorance yet again.... could somebody please tell me
> what a DMZ is? I know it stands for De Militarized Zone but that's
> all I know. Oh, please give me an explanation in lay terms :-)))
Here's a diagramatic representation of how Internet connectivity might be
achieved using a dedicated firewall router with DMZ. You'll need to set your
mail client to use a fixed point font to see it properly (if this isn't
already the default).
Incoming "pipe"
from Internet
|
|
\/ Connection
------------------- to DMZ ------------------
| Firewall Router |----------------| Switch for DMZ |
------------------- ------------------
| | | |
| Connection | | |
| to LAN \/ \/ \/
| Connections to public-facing
------------------ web or ftp servers, etc.
| Switch for LAN |
------------------
| | | |
| | | |
\/ \/ \/ \/
Connections to non public-facing
servers and workstations on LAN
Further Implementation Notes:
1. The firewall policy would be set up something like this:
- Workstations on the LAN can access the Internet (depending on
requirements, this may be achieved in conjunction with application-level
proxy servers such as SQUID, caching DNS or mail relays)
- Authorised locations (which may in practice be the entire LAN, depending
on policy) are able to connect to the DMZ machines for administration or
accessing other specific facilities depending on what's running on them.
- Machines in the DMZ can access the Internet and can be accessed _from_
the Internet in accordance with their specific roles. Ideally there
would be no ability to connect from the DMZ to the LAN (an exception
being where a back-end database is used by a web server, for example).
This arrangement minimises the risk to machines on the LAN should security be
breached within the DMZ (which is at a higher level of exposure).
2. The firewall has three network interfaces (usually Ethernet, though one may
be via serial, USB or other technology depending on the type of incoming
"pipe" from the Internet). Each have their own IP address on seperate IP
networks.
3. Where the inbound pipe provides only a single public IP address the DMZ and
LAN would each use IP address ranges within the blocks reserved for private
networks. (such as 192.168.xxx.xxx)
- connectivity between the LAN and Internet would typically be achieved
using IP masquerading (network address translation (NAT) of source address
for packets originating on the LAN and destined for the Internet) and/or
application-level proxies.
- Connectivity between the DMZ and Internet would typically be achieved
using port forwarding (NAT of destination address for packets originating
from the Internet).
- No address translation would be needed for communication between LAN and
DMZ.
4. Where the inbound pipe provides multiple public IP addresses, the
implementor may choose to assign public addresses to the DMZ machines
directly and route packets to and from them without address translation.
5. The switch for the DMZ may be replaced with just a crossover cable where
there is only one public-facing server.
6. Some broadband routers provide what they describe misleadingly as a "DMZ
function". In practice, this usually consists of simply portforwarding any
inbound connections to a specific internal IP address which you can specify.
The "proper" meaning of DMZ is as described above and by the other posters
responding to your question (thus far).
7. There are various other optimisations you could do depending on the level
of security/paranoia required, such as having additional "inner" firewall
routers or using packet filtering firewalls on the servers and workstations
themselves (esp. within the DMZ, preventing communication from one to
another).
Regards,
James
More information about the Wolves
mailing list