Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
851
Views
0
Helpful
5
Replies

Discerning what goes in DMZ

Go to solution
oneirishpollack
Level 1
Level 1

‎05-14-2009 05:56 AM - edited ‎03-11-2019 08:32 AM

I am trying to convince my comrades that we should put anything that provides a service to outside users or anything with an open port accessible to the outside, to be put in our DMZ instead of on the 'Inside' interface of the firewall.

Is there a standard rule about determining what devices should go into a DMZ vs. Inside network?

I mean if it has a NAT'd address from the outside to the inside, does it make sense to dump it into the DMZ?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to oneirishpollack

‎05-14-2009 06:33 AM

Sorry, should have been more specific.

If the device is open for connections from the Internet, especially if the source IP's from the Internet cannot be locked down then they should be on a DMZ.

The thinking behind this is that there are always bugs in software. If an attacker gained access to the server then if it was on your inside network he then has free access to your entire network whereas if it is on a DMZ he has limited access, if any.

It should be noted that firewalling is only one part of the overall solution - IDS/IPS plays a large part too, together with more traditional things such as logging etc.

Jon

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎05-14-2009 06:17 AM

Richard

If connections to the server/device can be made from the Internet then that server/device should be firewalled.

Jon

0 Helpful

Go to solution
oneirishpollack
Level 1
Level 1
In response to Jon Marshall

‎05-14-2009 06:22 AM

When you say 'firewalled', the devices exist behind the firewall, but they exist on the 'inside' network, not in the DMZ. Do I have an argument that anything that can be connected to from the Internet (via smtp, http, https, etc) should be in the DMZ versus the 'inside'?

Thanks.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to oneirishpollack

‎05-14-2009 06:33 AM

Sorry, should have been more specific.

If the device is open for connections from the Internet, especially if the source IP's from the Internet cannot be locked down then they should be on a DMZ.

The thinking behind this is that there are always bugs in software. If an attacker gained access to the server then if it was on your inside network he then has free access to your entire network whereas if it is on a DMZ he has limited access, if any.

It should be noted that firewalling is only one part of the overall solution - IDS/IPS plays a large part too, together with more traditional things such as logging etc.

Jon

0 Helpful

Go to solution
oneirishpollack
Level 1
Level 1
In response to Jon Marshall

‎05-14-2009 06:48 AM

Thanks for your help.

0 Helpful

Go to solution
oneirishpollack
Level 1
Level 1
In response to Jon Marshall

‎05-14-2009 06:48 AM

Thanks for your help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card