[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: DMZ
From:       "HUNGRY PIRANHA" <del_38 () hotmail ! com>
Date:       2000-10-31 16:58:10
[Download RAW message or body]

depends....

the box with the most should be the external host.

there are a lot of other details involved, but thats where i would start.


>From: "Alexandre" <aoliveira@ecommerce.com.br>
>To: "Hiemstra, Brenno" <BHiemstra@telfort.nl>
>CC: "Firewalls" <firewalls@lists.gnac.net>
>Subject: Re: DMZ
>Date: Tue, 31 Oct 2000 14:23:41 -0200
>
>Ok, first, thank you by your attention.
>
>So, I need a DMZ to run hosts with untrusted services (www, smtp etc), I
>believe that is a good reason.
>
>About the masquerading, I need this for my internal hosts, because I have a
>little ip range, ok?
>
>About the proxy, I need to do caching and so I could reduce the bandwidth
>usage, ok? Am I correct ?
>
>So, I´m thinking to do the Cisco router as external router and the Linux 
>box
>as the internal router and to make masquerading and proxy.
>
>Do you agree with this ???
>
>Best Regards
>
>-------------------------------------------------
>Alexandre de Oliveira
>eCommerce Internet & Intranet Concepts
>Fone: 5853-2131 / Fax: 5853-2164
>
>
>----- Original Message -----
>From: Hiemstra, Brenno <BHiemstra@telfort.nl>
>To: 'Alexandre' <aoliveira@ecommerce.com.br>; Firewalls
><firewalls@Lists.GNAC.NET>
>Sent: Tuesday, October 31, 2000 1:55 PM
>Subject: RE: DMZ
>
>
>
>Alexandre,
>
>Are u sure about the proxy thing and do you know what a proxy
>all do ?   Because maybe you are meaning a firewall.
>
>A Cisco router has a the ability to act as a masquerading host
>which is connected to the internet and the local LAN.
>
>If you want to locally store websites for better web performance,
>that's one thing what a proxy does in stead of only translating
>internet adresses to local LAN addresses what a masquerading
>host does. A Cisco router can't do this because it doesn't hold
>a great amount of HD room for all this caching (or am I wrong?)
>
>A proxy can also regulate the access to the internet for a special
>group in your network (which you can specify on a NT domain
>controller machine for example). I don't know if a Cisco router
>has this ability, a linux box can. like seperation in who is able to
>FTP, WWW,  ICQ , etc etc
>
>If your network is a very large one then masquarade from a very
>fast machine which has it's connection onto the internet and the
>local lan. Maybe you have to cluster them for single point of failure
>
>For some security reasons I would let a proxy or firewall do the
>masquerading
>in stead of the external router because this also does the routing
>for the DMZ. A masquerading host (proxy or firewall left behind) doesn't
>do that because when you create a DMZ you generally don't translate
>the IP addresses (internet to local addresses or the other way around).
>Especially if you have more hosts in your DMZ.
>
> >From a overview point your network could look like this:
>
>INTERNET --{external router}-- DMZ --{masquerading host, firewall
>preferred}-- LAN
>
>If your external router has more then 2 interfaces you can let the
>masquerading
>host do the translation of the local internet addresses to the address of a
>external router
>interface which will route the package onto the internet.
>
>A masquerading host, proxy or firewall, can view and drop IP packets higher
>in the OSI
>model then a regular Cisco router.
>
>None of this traffic (if the router is configurred correctly) will go
>through the DMZ.
>
>As you can see this can be a complex environment and it all depends on
>various
>this (amount of internet IP addresses, design DMZ, amount of clients, etc)
>
>This is a question that is very difficult to answer. In a small network the
>external
>router can also be the proxy and the firewall (who knows every thing is
>possible now a
>days).
>
>And a question of my side..  Why do you need a DMZ ???
>
>Greets,
>
>/Brenno
>
>
>
>
>
>
>
> > -----Original Message-----
> > From: Alexandre [SMTP:aoliveira@ecommerce.com.br]
> > Sent: dinsdag 31 oktober 2000 16:21
> > To: Firewalls
> > Subject: DMZ
> >
> > I looking for more opinions, I´m creating a DMZ with screened subnet
> > architeture. That´s my doubt :
> >
> >     - Who should have to do masquerading ? The internal or external
> > router?
> >     - Who should have to do proxy? The internal or external router?
> >
> > To do this I have a Linux box and a Cisco Router. Who should be the
> > external
> > router ? Why ?
> >
> > ThankZ.
> >
> >
> > Alexandre de Oliveira
> >
> >
> >
> >
> > -------------------------------------------------
> > Alexandre de Oliveira
> > eCommerce Internet & Intranet Concepts
> > Fone: 5853-2131 / Fax: 5853-2164
> >
> >
> >
> > -
> > [To unsubscribe, send mail to majordomo@lists.gnac.net with
> > "unsubscribe firewalls" in the body of the message.]
>
>-
>[To unsubscribe, send mail to majordomo@lists.gnac.net with
>"unsubscribe firewalls" in the body of the message.]

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at 
http://profiles.msn.com.

-
[To unsubscribe, send mail to majordomo@lists.gnac.net with
"unsubscribe firewalls" in the body of the message.]

[prev in list] [next in list] [prev in thread] [next in thread]