DMZ or portforward

I am about to run a server which will be serving web and mail only.
there will be one server and one desktop pc behind a cable modem, I am
going to stick a hardware firewall router after the modem but should I
get one with a dedicated dmz port or one with two lan ports? I want
the maximum amount of security so I only want web and mail ports open
on the server and don't want the server being able to initiate a
connection to the lan if it becomes comprised. from what I've read
seems like a dmz port is quite insecure as any traffic that isnt
marked for the lan is sent to the dmz.. i can get a firewall with a
dedicated dmz port for similar price as a firewall with 2 separate lan
ports so its down to which is more secure.. I believe I can write an
acl on the dmz port to block everything bar web and mail.. is there
anything else a dmz port does that a lan port doesnt?

also i will have one static ip so everything will be nat'd.

Flamer.

Re: DMZ or portforward

On Mon, 19 Mar 2007 20:01:09 -0700, flamer die.spam@hotmail.com wrote:

> I am about to run a server which will be serving web and mail only.
> there will be one server and one desktop pc behind a cable modem, I am
> going to stick a hardware firewall router after the modem but should I
> get one with a dedicated dmz port or one with two lan ports? I want
> the maximum amount of security so I only want web and mail ports open
> on the server and don't want the server being able to initiate a
> connection to the lan if it becomes comprised. from what I've read
> seems like a dmz port is quite insecure as any traffic that isnt
> marked for the lan is sent to the dmz.. i can get a firewall with a
> dedicated dmz port for similar price as a firewall with 2 separate lan
> ports so its down to which is more secure.. I believe I can write an
> acl on the dmz port to block everything bar web and mail.. is there
> anything else a dmz port does that a lan port doesnt?
>
> also i will have one static ip so everything will be nat'd.

Sstatic IP is the best path, but a simple NAT router doesn't offer a lot
of protection against attachments and such.

The DMZ port on most routers (what some call firewalls) is going to pass
ALL traffic directly to the server, so, unless you get a quality device
like the DFL-700 which has a real DMZ network, you're going to expose your
server to the world with all ports exposed.

The server will need HTTPS and SMTP exposed, unless you also allow POP3,
but I don't suggest it. Do not expose HTTP, you can run your web mail on
HTTPS.

In most of the cheap NAT Routers (sometimes called firewalls) the DMZ
network and the LAN network are on the same subnet and they share the same
address space - so if your DMZ network gets compromised then your LAN is
also compromised. A cheap Firewall (a real one) would not have that flaw.





--

Leythos

spam999free@rrohio.com (remove 999 for proper email address)

Re: DMZ or portforward

On Mar 21, 12:01 am, Leythos wrote:
> On Mon, 19 Mar 2007 20:01:09 -0700, flamer die.s...@hotmail.com wrote:
> > I am about to run a server which will be serving web and mail only.
> > there will be one server and one desktop pc behind a cable modem, I am
> > going to stick a hardware firewall router after the modem but should I
> > get one with a dedicated dmz port or one with two lan ports? I want
> > the maximum amount of security so I only want web and mail ports open
> > on the server and don't want the server being able to initiate a
> > connection to the lan if it becomes comprised. from what I've read
> > seems like a dmz port is quite insecure as any traffic that isnt
> > marked for the lan is sent to the dmz.. i can get a firewall with a
> > dedicated dmz port for similar price as a firewall with 2 separate lan
> > ports so its down to which is more secure.. I believe I can write an
> > acl on the dmz port to block everything bar web and mail.. is there
> > anything else a dmz port does that a lan port doesnt?
>
> > also i will have one static ip so everything will be nat'd.
>
> Sstatic IP is the best path, but a simple NAT router doesn't offer a lot
> of protection against attachments and such.
>
> The DMZ port on most routers (what some call firewalls) is going to pass
> ALL traffic directly to the server, so, unless you get a quality device
> like the DFL-700 which has a real DMZ network, you're going to expose your
> server to the world with all ports exposed.
>
> The server will need HTTPS and SMTP exposed, unless you also allow POP3,
> but I don't suggest it. Do not expose HTTP, you can run your web mail on
> HTTPS.
>
> In most of the cheap NAT Routers (sometimes called firewalls) the DMZ
> network and the LAN network are on the same subnet and they share the same
> address space - so if your DMZ network gets compromised then your LAN is
> also compromised. A cheap Firewall (a real one) would not have that flaw.
>
> --
> Leythos
> spam999f...@rrohio.com (remove 999 for proper email address)

Thanks for the info, the units I am looking at are level1 fbr-2000
which is a real spi firewall with hardware dmz port, I know some cheap
routers with built in switches can have a port set as a software dmz
but they don't interest me. he issue for me is having the server and
desktops on different subnets but this has raised one more issue, if I
can get a firewall with 1x wan port and 2x(separate) lan ports can I
nat two different subnets into one public ip?

Flamer.

Re: DMZ or portforward

On Mar 21, 9:42 am, "flamer die.s...@hotmail.com"
wrote:
> On Mar 21, 12:01 am, Leythos wrote:
>
>
>
> > On Mon, 19 Mar 2007 20:01:09 -0700, flamer die.s...@hotmail.com wrote:
> > > I am about to run a server which will be serving web and mail only.
> > > there will be one server and one desktop pc behind a cable modem, I am
> > > going to stick a hardware firewall router after the modem but should I
> > > get one with a dedicated dmz port or one with two lan ports? I want
> > > the maximum amount of security so I only want web and mail ports open
> > > on the server and don't want the server being able to initiate a
> > > connection to the lan if it becomes comprised. from what I've read
> > > seems like a dmz port is quite insecure as any traffic that isnt
> > > marked for the lan is sent to the dmz.. i can get a firewall with a
> > > dedicated dmz port for similar price as a firewall with 2 separate lan
> > > ports so its down to which is more secure.. I believe I can write an
> > > acl on the dmz port to block everything bar web and mail.. is there
> > > anything else a dmz port does that a lan port doesnt?
>
> > > also i will have one static ip so everything will be nat'd.
>
> > Sstatic IP is the best path, but a simple NAT router doesn't offer a lot
> > of protection against attachments and such.
>
> > The DMZ port on most routers (what some call firewalls) is going to pass
> > ALL traffic directly to the server, so, unless you get a quality device
> > like the DFL-700 which has a real DMZ network, you're going to expose your
> > server to the world with all ports exposed.
>
> > The server will need HTTPS and SMTP exposed, unless you also allow POP3,
> > but I don't suggest it. Do not expose HTTP, you can run your web mail on
> > HTTPS.
>
> > In most of the cheap NAT Routers (sometimes called firewalls) the DMZ
> > network and the LAN network are on the same subnet and they share the same
> > address space - so if your DMZ network gets compromised then your LAN is
> > also compromised. A cheap Firewall (a real one) would not have that flaw.
>
> > --
> > Leythos
> > spam999f...@rrohio.com (remove 999 for proper email address)
>
> Thanks for the info, the units I am looking at are level1 fbr-2000
> which is a real spi firewall with hardware dmz port, I know some cheap
> routers with built in switches can have a port set as a software dmz
> but they don't interest me. he issue for me is having the server and
> desktops on different subnets but this has raised one more issue, if I
> can get a firewall with 1x wan port and 2x(separate) lan ports can I
> nat two different subnets into one public ip?
>
> Flamer.

I'm thinking now of maybe getting a cisco 1700 with 3 10/100's and
running firewall/ids ios on it.. upgrading the dram will be the
expensive part.

Flamer.

Re: DMZ or portforward

On Tue, 2007-03-20 at 14:42 -0700, flamer die.spam@hotmail.com wrote:
> Thanks for the info, the units I am looking at are level1 fbr-2000
> which is a real spi firewall with hardware dmz port, I know some cheap
> routers with built in switches can have a port set as a software dmz
> but they don't interest me. he issue for me is having the server and
> desktops on different subnets but this has raised one more issue, if I
> can get a firewall with 1x wan port and 2x(separate) lan ports can I
> nat two different subnets into one public ip?

You can nat as many subnets as you like to one public ip.

I'm not personally familiar with the devices you are considering, but I
can relate how I handle this situation. I trunk a router to a switch and
create role-based vlans. I apply ACLs to the router vlan interfaces.
This places the rules as close to the hosts as possible and makes it
easy to restrict traffic between vlans. I use a cisco 1721/2950 combo
with adsl.

Re: DMZ or portforward

On Tue, 20 Mar 2007 14:42:20 -0700, flamer die.spam@hotmail.com wrote:

> On Mar 21, 12:01 am, Leythos wrote:
>> On Mon, 19 Mar 2007 20:01:09 -0700, flamer die.s...@hotmail.com wrote:
>> > I am about to run a server which will be serving web and mail only.
>> > there will be one server and one desktop pc behind a cable modem, I am
>> > going to stick a hardware firewall router after the modem but should I
>> > get one with a dedicated dmz port or one with two lan ports? I want
>> > the maximum amount of security so I only want web and mail ports open
>> > on the server and don't want the server being able to initiate a
>> > connection to the lan if it becomes comprised. from what I've read
>> > seems like a dmz port is quite insecure as any traffic that isnt
>> > marked for the lan is sent to the dmz.. i can get a firewall with a
>> > dedicated dmz port for similar price as a firewall with 2 separate lan
>> > ports so its down to which is more secure.. I believe I can write an
>> > acl on the dmz port to block everything bar web and mail.. is there
>> > anything else a dmz port does that a lan port doesnt?
>>
>> > also i will have one static ip so everything will be nat'd.
>>
>> Sstatic IP is the best path, but a simple NAT router doesn't offer a lot
>> of protection against attachments and such.
>>
>> The DMZ port on most routers (what some call firewalls) is going to pass
>> ALL traffic directly to the server, so, unless you get a quality device
>> like the DFL-700 which has a real DMZ network, you're going to expose your
>> server to the world with all ports exposed.
>>
>> The server will need HTTPS and SMTP exposed, unless you also allow POP3,
>> but I don't suggest it. Do not expose HTTP, you can run your web mail on
>> HTTPS.
>>
>> In most of the cheap NAT Routers (sometimes called firewalls) the DMZ
>> network and the LAN network are on the same subnet and they share the same
>> address space - so if your DMZ network gets compromised then your LAN is
>> also compromised. A cheap Firewall (a real one) would not have that flaw.
>>
>> --
>> Leythos
>> spam999f...@rrohio.com (remove 999 for proper email address)
>
> Thanks for the info, the units I am looking at are level1 fbr-2000
> which is a real spi firewall with hardware dmz port, I know some cheap
> routers with built in switches can have a port set as a software dmz
> but they don't interest me. he issue for me is having the server and
> desktops on different subnets but this has raised one more issue, if I
> can get a firewall with 1x wan port and 2x(separate) lan ports can I
> nat two different subnets into one public ip?

I have a Firebox II in my shop, it has 16IP on the public WAN (External), 7
subnets on the LAN (Trusted) and 3 subnets on the DMZ (Optional).

I have this unit setup to forward SMTP to a specific IP in the LAN, HTTP
to a specific IP in the DMZ, and HTTPS to specific IP in the LAN, as well
as many other rules/mappings.

A CISCO is a waste of money, doesn't have proxy services and is just plain
a PITA.

If you have a FB-II then you have a very OLD firebox and it's no longer
supported by anyone. A simple Firebox X550e would do all that you want and
more and also provide great protection for SMTP and HTTP as well as remote
access to the network.





--

Leythos

spam999free@rrohio.com (remove 999 for proper email address)

Re: DMZ or portforward

On Mar 22, 6:41 am, Leythos wrote:
> On Tue, 20 Mar 2007 14:42:20 -0700, flamer die.s...@hotmail.com wrote:
> > On Mar 21, 12:01 am, Leythos wrote:
> >> On Mon, 19 Mar 2007 20:01:09 -0700, flamer die.s...@hotmail.com wrote:
> >> > I am about to run a server which will be serving web and mail only.
> >> > there will be one server and one desktop pc behind a cable modem, I am
> >> > going to stick a hardware firewall router after the modem but should I
> >> > get one with a dedicated dmz port or one with two lan ports? I want
> >> > the maximum amount of security so I only want web and mail ports open
> >> > on the server and don't want the server being able to initiate a
> >> > connection to the lan if it becomes comprised. from what I've read
> >> > seems like a dmz port is quite insecure as any traffic that isnt
> >> > marked for the lan is sent to the dmz.. i can get a firewall with a
> >> > dedicated dmz port for similar price as a firewall with 2 separate lan
> >> > ports so its down to which is more secure.. I believe I can write an
> >> > acl on the dmz port to block everything bar web and mail.. is there
> >> > anything else a dmz port does that a lan port doesnt?
>
> >> > also i will have one static ip so everything will be nat'd.
>
> >> Sstatic IP is the best path, but a simple NAT router doesn't offer a lot
> >> of protection against attachments and such.
>
> >> The DMZ port on most routers (what some call firewalls) is going to pass
> >> ALL traffic directly to the server, so, unless you get a quality device
> >> like the DFL-700 which has a real DMZ network, you're going to expose your
> >> server to the world with all ports exposed.
>
> >> The server will need HTTPS and SMTP exposed, unless you also allow POP3,
> >> but I don't suggest it. Do not expose HTTP, you can run your web mail on
> >> HTTPS.
>
> >> In most of the cheap NAT Routers (sometimes called firewalls) the DMZ
> >> network and the LAN network are on the same subnet and they share the same
> >> address space - so if your DMZ network gets compromised then your LAN is
> >> also compromised. A cheap Firewall (a real one) would not have that flaw.
>
> >> --
> >> Leythos
> >> spam999f...@rrohio.com (remove 999 for proper email address)
>
> > Thanks for the info, the units I am looking at are level1 fbr-2000
> > which is a real spi firewall with hardware dmz port, I know some cheap
> > routers with built in switches can have a port set as a software dmz
> > but they don't interest me. he issue for me is having the server and
> > desktops on different subnets but this has raised one more issue, if I
> > can get a firewall with 1x wan port and 2x(separate) lan ports can I
> > nat two different subnets into one public ip?
>
> I have a Firebox II in my shop, it has 16IP on the public WAN (External), 7
> subnets on the LAN (Trusted) and 3 subnets on the DMZ (Optional).
>
> I have this unit setup to forward SMTP to a specific IP in the LAN, HTTP
> to a specific IP in the DMZ, and HTTPS to specific IP in the LAN, as well
> as many other rules/mappings.
>
> A CISCO is a waste of money, doesn't have proxy services and is just plain
> a PITA.
>
> If you have a FB-II then you have a very OLD firebox and it's no longer
> supported by anyone. A simple Firebox X550e would do all that you want and
> more and also provide great protection for SMTP and HTTP as well as remote
> access to the network.
>
> --
> Leythos
> spam999f...@rrohio.com (remove 999 for proper email address)

Ok well I found out that 1700's only support 2 ethernet interfaces and
the WIC's are 10mbps only so I have bought the level1 spi firewall. I
would like a firebox appliance but they are probably too high end for
what I need plus there are no local resellers where I am. The firewall
I bought has a dmz port so I will put access lists blocking everything
other than web and mail outbound.. there may be a software hack to
turn the dmz port into a protected 2nd lan interface if not it will
still do the trick.

Flamer.