Demilitarised zone (DMZ) topology
A DMZ is the most common and secure firewall topology. It is often referred to as a screened subnet. A DMZ creates a secure space between your Internet and your network.
A DMZ will typically contain the following:
- Web server
- Mail server
- Application gateway
- E-commerce systems (It should contain only your front-end systems. Your back-end systems should be on your internal network.)
A DMZ is considered very secure because it supports network- and application-level security in addition to providing a secure place to host your public servers. A bastion host (proxy), modem pools, and all public servers are placed in the DMZ.
Furthermore, the outside firewall protects against external attacks and manages all Internet access to the DMZ. The inside firewall manages DMZ access to the internal network and provides a second line of defense if the external firewall is compromised. In addition, LAN traffic to the Internet is managed by the inside firewall and the bastion host on the DMZ. With this type of configuration, a hacker must compromise three separate areas (external firewall, internal firewall, and the bastion host) to fully obtain access to your LAN.
Many companies take it one step further by also adding an intrusion detection system (IDS) to their DMZ. By adding an IDS, you can quickly monitor problems before they escalate into major problems.
Summary
In this article, we've examined the basic firewall designs that are prevalent in the business world today. Of course, there is no perfect firewall design. Every network is unique in its business model and should have a firewall tailored for the company's specific needs.
When designing a firewall, you must consider numerous factors, including cost, training, security, technical expertise, and timeframe to implement. Once you've taken all these factors into account and have established a good security policy, you can begin implementing your firewall topology. The diagrams I've presented hereââ,¬"which are available for download -- can serve as templates when you design your own topology.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2001 TechRepublic, Inc.
Hello,
I am starting to hear a lot about NetScreen & via the web NetScreen features alongside Cisco PIX
can you run something to update readers about NetScreen, perhaps run an unbias feature on NetScreen verses other Firewalls with VPN, etc.
Many thanks,
Josephine