Re: DMZ
On Fri, May 11, 2001 at 07:55:23PM -0700, Cory Petkovsek wrote:
> On Sat, May 12, 2001 at 06:22:25AM -0700, Ray Olszewski wrote:
> > You do need 3 NICs to do this safely, BTW; Cory's reply omitted the one that
> > the DSL router connects to (at least here in PacBell territory). Sometimes
> > people fake DMZs with IP aliasing on the internal NIC, but doing it this way
> > defeats the security purpose of having a DMZ.
>
> My reply (and my current setup) does have a nic that connects to the dsl router. I have IP aliasing on the external nic, not the internal. Aliasing the internal wouldn't do much good for security purposes. The drawing I made actually excluded the switches, here's a more accurate rendition:
>
>
> aaa.bbb /------dmz server1 10.1.x
> internet -- dsl router -- dmz-switch
> /
> /
> firewall-eth1-------
> eth0
> \ 10.0.x
> \---internal lan switches
>
> eth1 is aliased to aaa.bbb and 10.1.x. If a dmz server is cracked, my internal network traffic still cannot be dumped.
>
> Ray, is this unsafe? Do you see a problem with my setup? I am certainly open to constructive criticism.
>
Does your switch have an IP address? If so, it may be possible to get the
switch to send packets from one port to all ports, and rendering your switch
like a hub.
If this happens, they can sniff your internal network traffic destined for
the internet.
Also, it looke like the DMZ servers aren't protected themselfs.
Does your dsl router have any IPsec capabilities?
I'm looking at a setup like this:
+ -- adsl -+
internet -+ +-- firewall
+ -- sdsl -+ ||
DMZ 10.x.2.x
//
//
IPsec gateway/firewall
/
/
LAN 10.x.0.x
The double lines are encrypted traffic, so if sniffed they'll get encrypted
data. If you trust IPsec for VPN over the internet, why not trust it
through your DMZ?
Mike
Reply to:
- References:
- Re: DMZ
- From: Ray Olszewski <ray@comarre.com>
- Re: DMZ
- From: Cory Petkovsek <coryp@petersen-arne.com>