Re: DMZ question
On Mon, 2004-08-09 at 16:14, Steve Melo wrote:
> I have a question about setting up a DMZ. My understanding is that on a
> switch layer 3 communication cannot happen with out a router, so would it be
> safe to have 3 separate networks, (one for the internet, one for the dmz and
> one for the lan) all connected to the same switch? My idea is that the
> switch does not have the ability to connect the separate networks and all
> routing happens at the firewall machines. Any thoughts or suggestions?
>
>
>
>
> __________ ____________
> eth0 ___________
> ( ) ppp0 | FIREWALL | eth1
> ___switch-____ <-------->| FIREWALL |
> ( INTERNET ) <----------> | one |
> <-------------->|____________| | two |
> (____________) |__________ |
> ^ ^ <--------->|___________|
>
> | | eth1
>
> | |
>
> eth0 | |
>
> ===== _______
>
> | ---- | ( )
>
> | | ( LAN )
>
> | | (_______)
>
> =========
>
> | Email Srvr |
>
>
> DMZ:
> 192.168.1.0/24 is the DMZ network
>
> Firewall one:
> eth0/ppp0 dynamic IP address
> eth1 attached to 192.168.1.0/24
>
> Firewall two:
> eth0 attached to 192.168.1.0/24
> eth1 attached to 192.168.2.0/24
>
> Email server:
> eth0 attached to 192.168.1.0/24
>
> LAN:
> 192.168.2.0 is the local area network
>
The idea of a separate dmz is to have a separate "Physical" and
numerical subnet..
So your way, a compromised server could see everything with just an ARP
command and continue freely to explore..
Better to have the physical separation..
Regards,
Peter
Reply to: