6

I am new to the world of networking and am having a hard time understanding what a DMZ is. I understand a DMZ is where you place publicly accessible servers such as Web servers, Mail servers, etc. What I am confused about is how a DMZ is setup. Please correct me if my understanding is incorrect.

  • You have a router that is connected to the Internet
  • Behind is router is a switch (I am unsure as to whether you can have a firewall instead)
  • Behind the switch are the web and mail servers
  • There is then a firewall which has 2 network interfaces one of which is connected to the switch
  • The second interface is then connected to an internal switch
  • Behind the internal switch are the LAN hosts such as PCs, Laptops, Printers, etc.

EDIT

Is it possible for a DMZ to be setup in the following manner as well?

  • You have a router that is connected to the Internet
  • Behind the router is a a firewall with 2 network interfaces one of which is connected to the router
  • Behind the firewall is a switch with which the second interface is connected with
  • Behind the switch are the publicly accessible web and mail servers
  • There is a secondary firewall with 2 network interface cards one of which is connected to the switch
  • The second network interface card is then connected to a internal switch
  • Behind the internal switch are the LAN hosts such as PCs, Laptops, Printers, etc.
PeanutsMonkey
  • 1,832
  • 8
  • 26
  • 27

1 Answers1

2

Think of a router/firewall with three interfaces: internet, internal, and DMZ. On the internet side you have your uplink. On the internal side, you have your non-internet facing or private hosts. On the DMZ interface you connect any hosts that are accessible directly from the internet.

http://www.shorewall.net/three-interface.htm

dmourati
  • 24,720
  • 2
  • 40
  • 69
  • 1
    Having read a number of articles, they suggest that it is not advisable to use a router/firewall that has 3 interfaces. The reason being is if the router/firewall is compromised, the intruder would also have access to the internal network. – PeanutsMonkey May 18 '11 at 07:09
  • 1
    That's certainly a tradeoff. The alternative, which is more complex, is to have two separate firewall/router devices in a "sandwich" configuration. For the purposes of your initial question, and focusing on the "simplest of examples" my answer stands. – dmourati May 18 '11 at 07:13
  • Thanks. Would the `sandwich` configuration be what I added in my `EDIT`? – PeanutsMonkey May 18 '11 at 07:15
  • Yes, you got it right. – dmourati May 18 '11 at 07:18
  • Sweet. So my understanding is on the right track. – PeanutsMonkey May 18 '11 at 07:27