cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
329
Views
0
Helpful
1
Replies

dmz design help

jefforamma
Level 1
Level 1

Hey,

I have 2 x pix515e's to setup. This is for a colo so there are no workstations/users on the lan/secured int. However i do have sql servers that i would like to keep out of the dmz from the web servers.

should i setup the pix with 3 interfaces: 1 outside, 1 dmz, and 1 secure.

i would like traffic from outside to not be allowed into the secured int but there will be several mappings from outside to dmz. also some traffic will need to be allowed to pass from the secured to dmz (can be open) and dmz to secured (this needs to be controlled).

also, these servers are all on the same domain. should i put the domain controller servers in the secured area as well?

any insights appreciated.

1 Reply 1

jeremyault
Level 1
Level 1

Outside Interface - security level 0

DMZ interface - security level 50

Secure Interface - security level 100

Then put in specific ACLs to permit outside to DMZ and specific ACLs for DMZ to secure. Only permit into the DMZ what is needed. Nothing more. Lock it down by destination IP and port.

Traffic will automatically be permitted from higer security level to lower security level so inside can talk to DMZ and outside, etc...

Think of the DMZ as a network with the potential to be compromised because public traffic is allowed in. No public traffic is allowed into the inside secure network so that's probably where you want your domain control servers.

But like all things, it depends. Hope that helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: