05-14-2009 05:56 AM - edited 03-11-2019 08:32 AM
I am trying to convince my comrades that we should put anything that provides a service to outside users or anything with an open port accessible to the outside, to be put in our DMZ instead of on the 'Inside' interface of the firewall.
Is there a standard rule about determining what devices should go into a DMZ vs. Inside network?
I mean if it has a NAT'd address from the outside to the inside, does it make sense to dump it into the DMZ?
Thanks
Solved! Go to Solution.
05-14-2009 06:33 AM
Sorry, should have been more specific.
If the device is open for connections from the Internet, especially if the source IP's from the Internet cannot be locked down then they should be on a DMZ.
The thinking behind this is that there are always bugs in software. If an attacker gained access to the server then if it was on your inside network he then has free access to your entire network whereas if it is on a DMZ he has limited access, if any.
It should be noted that firewalling is only one part of the overall solution - IDS/IPS plays a large part too, together with more traditional things such as logging etc.
Jon
05-14-2009 06:17 AM
Richard
If connections to the server/device can be made from the Internet then that server/device should be firewalled.
Jon
05-14-2009 06:22 AM
When you say 'firewalled', the devices exist behind the firewall, but they exist on the 'inside' network, not in the DMZ. Do I have an argument that anything that can be connected to from the Internet (via smtp, http, https, etc) should be in the DMZ versus the 'inside'?
Thanks.
05-14-2009 06:33 AM
Sorry, should have been more specific.
If the device is open for connections from the Internet, especially if the source IP's from the Internet cannot be locked down then they should be on a DMZ.
The thinking behind this is that there are always bugs in software. If an attacker gained access to the server then if it was on your inside network he then has free access to your entire network whereas if it is on a DMZ he has limited access, if any.
It should be noted that firewalling is only one part of the overall solution - IDS/IPS plays a large part too, together with more traditional things such as logging etc.
Jon
05-14-2009 06:48 AM
Thanks for your help.
05-14-2009 06:48 AM
Thanks for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide