[Wolves] Same machine : 2 Nic's -- 1 DMZ 1 LAN

Kevanf1 kevanf1 at gmail.com
Sun Jan 9 19:36:18 GMT 2005 

On Sun, 9 Jan 2005 13:30:13 +0000, James Turner <james at turnersoft.co.uk> wrote:
> On Saturday 08 Jan 2005 11:01, Kevanf1 wrote:
> > Well to show my ignorance yet again.... could somebody please tell me
> > what a DMZ is?  I know it stands for De Militarized Zone but that's
> > all I know.  Oh, please give me an explanation in lay terms :-)))
> 
> Here's a diagramatic representation of how Internet connectivity might be
> achieved using a dedicated firewall router with DMZ. You'll need to set your
> mail client to use a fixed point font to see it properly (if this isn't
> already the default).
> 
>        Incoming "pipe"
>         from Internet
>              |
>              |
>              \/            Connection
>      -------------------     to DMZ     ------------------
>      | Firewall Router |----------------| Switch for DMZ |
>      -------------------                ------------------
>              |                             |     |     |
>              | Connection                  |     |     |
>              | to LAN                      \/    \/    \/
>              |                          Connections to public-facing
>      ------------------                 web or ftp servers, etc.
>      | Switch for LAN |
>      ------------------
>        |   |   |   |
>        |   |   |   |
>        \/  \/  \/  \/
>      Connections to non public-facing
>      servers and workstations on LAN
> 
> Further Implementation Notes:
> 
> 1. The firewall policy would be set up something like this:
> 
>     - Workstations on the LAN can access the Internet (depending on
>       requirements, this may be achieved in conjunction with application-level
>       proxy servers such as SQUID, caching DNS or mail relays)
> 
>     - Authorised locations (which may in practice be the entire LAN, depending
>       on policy) are able to connect to the DMZ machines for administration or
>       accessing other specific facilities depending on what's running on them.
> 
>     - Machines in the DMZ can access the Internet and can be accessed _from_
>       the Internet in accordance with their specific roles. Ideally there
>       would be no ability to connect from the DMZ to the LAN (an exception
>       being where a back-end database is used by a web server, for example).
> 
> This arrangement minimises the risk to machines on the LAN should security be
> breached within the DMZ (which is at a higher level of exposure).
> 
> 2. The firewall has three network interfaces (usually Ethernet, though one may
> be via serial, USB or other technology depending on the type of incoming
> "pipe" from the Internet). Each have their own IP address on seperate IP
> networks.
> 
> 3. Where the inbound pipe provides only a single public IP address the DMZ and
> LAN would each use IP address ranges within the blocks reserved for private
> networks. (such as 192.168.xxx.xxx)
> 
>   - connectivity between the LAN and Internet would typically be achieved
>     using IP masquerading (network address translation (NAT) of source address
>     for packets originating on the LAN and destined for the Internet) and/or
>     application-level proxies.
> 
>   - Connectivity between the DMZ and Internet would typically be achieved
>     using port forwarding (NAT of destination address for packets originating
>     from the Internet).
> 
>  -  No address translation would be needed for communication between LAN and
>     DMZ.
> 
> 4. Where the inbound pipe provides multiple public IP addresses, the
> implementor may choose to assign public addresses to the DMZ machines
> directly and route packets to and from them without address translation.
> 
> 5. The switch for the DMZ may be replaced with just a crossover cable where
> there is only one public-facing server.
> 
> 6. Some broadband routers provide what they describe misleadingly as a "DMZ
> function". In practice, this usually consists of simply portforwarding any
> inbound connections to a specific internal IP address which you can specify.
> The "proper" meaning of DMZ is as described above and by the other posters
> responding to your question (thus far).
> 
> 7. There are various other optimisations you could do depending on the level
> of security/paranoia required, such as having additional "inner" firewall
> routers or using packet filtering firewalls on the servers and workstations
> themselves (esp. within the DMZ, preventing communication from one to
> another).
> 
> Regards,
> 
> James
> 
> _______________________________________________
> Wolves LUG mailing list
> Homepage: http://www.wolveslug.org.uk/
> Mailing list: Wolves at mailman.lug.org.uk
> Mailing list home: http://mailman.lug.org.uk/mailman/listinfo/wolves
> 
Now I understand, cheers guys.  It doesn't mean I could set it up
straight off if I wanted to, but I do now have a clear concept of what
it means.  Sort of like a side entry that has a one way valve at the
very back of it.  That one way being out only of course from the
internal network - sort of :-)  - Ignoring FTP work of ifles being
worked on if a web page was being set.


-- 
Take care.
Kevan Farmer

34 Hill Street
Cheslyn Hay
Staffordshire
WS6 7HR

More information about the Wolves mailing list