|
Posted by flamer die.spam@hotmail.com on March 20, 2007, 10:29 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>
>
>
> > On Mon, 19 Mar 2007 20:01:09 -0700, flamer die.s...@hotmail.com wrote:
> > > I am about to run a server which will be serving web and mail only.
> > > there will be one server and one desktop pc behind a cable modem, I am
> > > going to stick a hardware firewall router after the modem but should I
> > > get one with a dedicated dmz port or one with two lan ports? I want
> > > the maximum amount of security so I only want web and mail ports open
> > > on the server and don't want the server being able to initiate a
> > > connection to the lan if it becomes comprised. from what I've read
> > > seems like a dmz port is quite insecure as any traffic that isnt
> > > marked for the lan is sent to the dmz.. i can get a firewall with a
> > > dedicated dmz port for similar price as a firewall with 2 separate lan
> > > ports so its down to which is more secure.. I believe I can write an
> > > acl on the dmz port to block everything bar web and mail.. is there
> > > anything else a dmz port does that a lan port doesnt?
>
> > > also i will have one static ip so everything will be nat'd.
>
> > Sstatic IP is the best path, but a simple NAT router doesn't offer a lot
> > of protection against attachments and such.
>
> > The DMZ port on most routers (what some call firewalls) is going to pass
> > ALL traffic directly to the server, so, unless you get a quality device
> > like the DFL-700 which has a real DMZ network, you're going to expose your
> > server to the world with all ports exposed.
>
> > The server will need HTTPS and SMTP exposed, unless you also allow POP3,
> > but I don't suggest it. Do not expose HTTP, you can run your web mail on
> > HTTPS.
>
> > In most of the cheap NAT Routers (sometimes called firewalls) the DMZ
> > network and the LAN network are on the same subnet and they share the same
> > address space - so if your DMZ network gets compromised then your LAN is
> > also compromised. A cheap Firewall (a real one) would not have that flaw.
>
> > --
> > Leythos
> > spam999f...@rrohio.com (remove 999 for proper email address)
>
> Thanks for the info, the units I am looking at are level1 fbr-2000
> which is a real spi firewall with hardware dmz port, I know some cheap
> routers with built in switches can have a port set as a software dmz
> but they don't interest me. he issue for me is having the server and
> desktops on different subnets but this has raised one more issue, if I
> can get a firewall with 1x wan port and 2x(separate) lan ports can I
> nat two different subnets into one public ip?
>
> Flamer.
I'm thinking now of maybe getting a cisco 1700 with 3 10/100's and
running firewall/ids ios on it.. upgrading the dram will be the
expensive part.
Flamer.
| 
XML site map