ASA Physical DMZ vs. DMZ "Layer" upstream...

Unanswered Question
Aug 23rd, 2007
User Badges:

I have seen two ways to deploy DMZ's. One has an interface off the ASA become a DMZ and then you configure all the associated rules, NAT etc for traffic flow, inside to DMZ and DMZ to inside.

I have also see ASA's deployed with a simple Inside and Outside port arrangement with a DMZ layer present just inside the ASA inside interface and then another firewall (ASA or FWSM) upstream from that. Is one better than the other, or, more recommendable than the other?

The DMZ services in this case can be considered to be, email server, web portal, in-line IDS.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mprescher Fri, 08/24/2007 - 09:53
User Badges:

No, this isn't what I am referring to. I simply asking if having a dmz vlan and an inside vlan from the same ASA running through the same phsycial switch (logical separation vs. physical separation) is viewed as a best practice?

It used to be viewed as a not optimal solution because you are one command in the switch away from having your dmz lan linked directly to your inside secure network, completely bypassing the firewall.

srue Fri, 08/24/2007 - 10:25
User Badges:
  • Blue, 1500 points or more

I've never seen anything suggesting one way is better than the other. But if i'm reading correctly, it sounds like in the second scenario, the dmz is 'inline' with all inbound data. personally, i wouldn't want all inbound/outbound traffic passing through a dmz.

mprescher Tue, 08/28/2007 - 12:49
User Badges:

I can understand that alright. Sort of why I'm asking. Though, in this layered approach there is typically another layer of firewall that separates the inbound traffic from the DMZ traffic. The DMZ traffic is inline with the inbound data prior to the first front-line firewall in any case...that first firewall serving as a first layer of defense for access-list acceptance and deep inspection.


This Discussion