dmz design

Reply
L3 Networker

dmz design

Hi,

 

What is the benefit of having DMZ setup with two firewalls. 

 

If we have dmz setup with two firewalls ( I don't know this design is valid and adopted design, I found it  in the net ) 

 

If this is a valid design ,From local lan how the traffic flow to outside  (10.0.10.0/24 to internet ) and outside the local lan 10.0.10.0/24

 

Thanks

fw.png

L7 Applicator

Re: dmz design

Hello,

One thing is the amount of load on the firewall. With two youre splitting some of the traiffc off and the outer on is taking the brunt of the external attacks. In the modern world with next gen firewalls that are sized appropriatly, either design will work. I dont see a problem with the collapsed DMZ model, e.g. one firewall with dmz branched off.

 

As long as they are configured correctly :).

 

Just my thoughts,

L3 Networker

Re: dmz design

Hi,

Thanks for the reply . If I need to design DMZ with two fw , could you please  give an sample toplogy and the data flow 

Thanks

 

L6 Presenter

Re: dmz design

Thats a bit difficult as it depends on what you are using the dmz for and what type of services are contained within it.

 

in a basic setup traffic from outside is only allowed access to the dmz. More modern designs use the dmz for such devices as reverse proxies, ftp servers, rds and vdi dateways etc...

 

if you are twin firewalling for added intrusion prevention as @Otakar.Klier suggested then the dmz just becomes a stub network.

 

 

L3 Networker

Re: dmz design

Hi,

In twin firewalling case, How the local lan network traffic flow to outside .

Sorry I  really don't undertand twin firewalling case .

If I am going for twin firewalling , how the traffic flow from inside to outside and dmz

Thanks

L6 Presenter

Re: dmz design

Once again there are many variations but in your picture 1, traffic from the lan will go through both firewalls to the internet.

 

lan traffic to the dmz will only traverse firewall B.

traffic fron the internet to dmz will only traverse firewall A.

 

traffic from the internet to lan (not recomended) will firstly traverse firewall A and then firewall B.

 

if you don’t understand it then you probably wont need it.

 

 

L6 Presenter

Re: dmz design

To add to my previous post....

 

For lan traffic to internet....

 

firewall B will need to be the default gateway for lan.

 

firewall A will need to be the default gateway for firewall B.

 

firewall B will be aware of the dmz so will not use the default gateway.

 

my explanation is very very basic but you will need to add variuos routes and NAT for tis to perform correctly/securely.

 

 

 

L3 Networker

Re: dmz design

Hi,

As per the diagram I posted in the first post , between FW A and FW B is the DMZ zone , 

So the lan traffic to internet should go through this zone ?

Thanks 

L6 Presenter

Re: dmz design

Yes in your diagram 1 the lan traffic will route across the dmz to the internet and your incoming traffic from the internet to the lan will take the same route.

 

we do not allow this on our network for security reasons but its up to you.

 

 

 

L6 Presenter

Re: dmz design

For your drawing 1 i would do as below.

this way the dmz is independant of your outgoing traffic flow.

 

the objective of a dmz is to allow sessions to it but no further.

 

you do not need the dmz on both firewalls you could have it on just one as per drawing 2 but this option will eliminate the trombone effect on the dmz interface.

 

please excuse my doodle, its an ipad.

50807C07-8164-4918-A41C-1C5C72ADAB8C.jpeg

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!