dmz design help

Unanswered Question
May 22nd, 2009


I have 2 x pix515e's to setup. This is for a colo so there are no workstations/users on the lan/secured int. However i do have sql servers that i would like to keep out of the dmz from the web servers.

should i setup the pix with 3 interfaces: 1 outside, 1 dmz, and 1 secure.

i would like traffic from outside to not be allowed into the secured int but there will be several mappings from outside to dmz. also some traffic will need to be allowed to pass from the secured to dmz (can be open) and dmz to secured (this needs to be controlled).

also, these servers are all on the same domain. should i put the domain controller servers in the secured area as well?

any insights appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jeremyault Sat, 05/23/2009 - 10:08

Outside Interface - security level 0

DMZ interface - security level 50

Secure Interface - security level 100

Then put in specific ACLs to permit outside to DMZ and specific ACLs for DMZ to secure. Only permit into the DMZ what is needed. Nothing more. Lock it down by destination IP and port.

Traffic will automatically be permitted from higer security level to lower security level so inside can talk to DMZ and outside, etc...

Think of the DMZ as a network with the potential to be compromised because public traffic is allowed in. No public traffic is allowed into the inside secure network so that's probably where you want your domain control servers.

But like all things, it depends. Hope that helps.


This Discussion