Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Discerning what goes in DMZ

I am trying to convince my comrades that we should put anything that provides a service to outside users or anything with an open port accessible to the outside, to be put in our DMZ instead of on the 'Inside' interface of the firewall.

Is there a standard rule about determining what devices should go into a DMZ vs. Inside network?

I mean if it has a NAT'd address from the outside to the inside, does it make sense to dump it into the DMZ?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Discerning what goes in DMZ

Sorry, should have been more specific.

If the device is open for connections from the Internet, especially if the source IP's from the Internet cannot be locked down then they should be on a DMZ.

The thinking behind this is that there are always bugs in software. If an attacker gained access to the server then if it was on your inside network he then has free access to your entire network whereas if it is on a DMZ he has limited access, if any.

It should be noted that firewalling is only one part of the overall solution - IDS/IPS plays a large part too, together with more traditional things such as logging etc.

Jon

5 REPLIES
Hall of Fame Super Blue

Re: Discerning what goes in DMZ

Richard

If connections to the server/device can be made from the Internet then that server/device should be firewalled.

Jon

Community Member

Re: Discerning what goes in DMZ

When you say 'firewalled', the devices exist behind the firewall, but they exist on the 'inside' network, not in the DMZ. Do I have an argument that anything that can be connected to from the Internet (via smtp, http, https, etc) should be in the DMZ versus the 'inside'?

Thanks.

Hall of Fame Super Blue

Re: Discerning what goes in DMZ

Sorry, should have been more specific.

If the device is open for connections from the Internet, especially if the source IP's from the Internet cannot be locked down then they should be on a DMZ.

The thinking behind this is that there are always bugs in software. If an attacker gained access to the server then if it was on your inside network he then has free access to your entire network whereas if it is on a DMZ he has limited access, if any.

It should be noted that firewalling is only one part of the overall solution - IDS/IPS plays a large part too, together with more traditional things such as logging etc.

Jon

Community Member

Re: Discerning what goes in DMZ

Thanks for your help.

Community Member

Re: Discerning what goes in DMZ

Thanks for your help.

587
Views
0
Helpful
5
Replies
CreatePlease to create content