I am at a company where they are using a firewall to protect the DMZ from the LAN and an ACL based router to protect the DMZ from the internet. I think this is backwards for many reasons but am trying to find best practice documentation to support my claims. Anyone have anything solid on this or am I off base
This conversation is currently closed to new comments.
It's OK and in this situation it's better than have them swaped. Just consider this:
You have firewall, protecting your DMZ from the Internet and router between DMZ and LAN. Hacker trying to break-in into company's WEB server in DMZ. Firewall will permit these connections since it's legitime traffic (HTTP to port 80). Now say hacker broke WEB server and he's in there, having full control over the box. Now he just use that host to surf over your LAN.
In general, better idea is to use 3-interfaces firewall (what most people do). And another rule - you use higher protection in places which are more valuable. If somegody will get into DMZ what he gets? And what will he get if he will break-in into your LAN?
Good luck,
Michael Shavrov CCNP, CCDP, CCSP, MCSE W2K, Checkpoint CSSA, Security+
If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.
Firewall versus Router for WAN