Logical Topology for DMZ and Firewalls

[networkmage]

Is it best practice to place a firewall BEFORE the DMZ zone holding a web server and mail relay, or just after, before the private network?

 

[bill001g]

The firewall should BE the DMZ. The concept of DMZ has been perverted by home routers. All DMZ means on a home router is we forward all ports to some internal IP.

A actual DMZ has a set of firewall filter between the internet and the devices in the dmz as well as a second set of filters between this network and the lan network. It looks internet---dmzfirewall---machines---dmzfirewall----lan

In really paranoid enterprise installs the 2 dmz firewalls are actually different physical devices. The more common would be a firewall with 3 ports. One goes to the internet, the second to a switch for the DMZ, and the third to the switch going to the lan.

 

[networkmage]

HI, thanks for clarifying this, so the port that goes to the DMZ will obviously have less stricter rules versus the one going to the private lan?

 

[bill001g]

There are 3 rule sets. From internet to dmz, dmz to lan, internet to lan.

Pretty much you want to allow traffic to go from the lan into the DMZ to access the servers....but only if you really need to. You do not want the DMZ servers to be able to initiate sessions with machines in the LAN and very restricted ability to intiate session with thing on the internet. The reason for the DMZ is to prevent hop off attacks. If the DMZ machine are compromised you do not want them to be able to attack your lan machines or be used to attack internet. Little you can do about them being able to attack other DMZ machines unless you get fancy switches that support the concept of private vlans.

This is why a actual dmz is very different than consumer routers. In a consumer router if the dmz machine get compromised it has full access to the internal machines.

 

[failboat]

On a router the firewall checks all traffic coming in/out each port (phy or virt). the dmz would be on it's own and have rules to prevent it routing to any other local addresses.

you have to make sure the dmz vlan isn't bridged below the firewall with anything else. many of the consumer routers have fake dmz that just forwards all ports to one machine. you want the lan ports on your router unbridged. you can add a switch below for more ports.

a vlan switch can give you many ports for each lan if needed. trunking will allow the router to pass all vlan traffic to the vlan switch over 1 wire. if you only need dmz on 1 pc then skip that stuff and just get a good router. edge routers are reasonably priced.

 

[androbourne]

Yes. Typically you can use one firewall to do this.

Example would be port#1 WAN, Port#2 LAN Port#3 DMZ. Normally used you separate subnets between LAN and DMZ two make it two completely different networks. Than depending on the firewall. You may need to make rules to block traffic between LAN and DMZ. However, on most firewalls it would be separated by default unless you create rules to allow cross traffic.

Then plug LAN and DMZ into their own switch and be on your way!

On my home network I one way bridge some specific ports like 3389 to allow me to remote into my servers from my LAN network. However it blocks all other traffic etc... However, that's a preference thing and not required.

P.S.
And to answer your other question. No, a DMZ doesn't have to be more or less restrict then any other LAN setup on your network. The main point of the DMZ is to separate traffic between your main production network and your servers/resources.