Setting up a DMZ

The_KiD · 12 Feb 2007 at 11:00

Guys I need some advice on how best to set up a DMZ for a web server.

We have a webserver that needs to be accessible from the internet and at the same time has a connection to our DB server.

The firewall has a spare port on it, but I am unsure how to go about the basic setup of a DMZ.

Any advice you can give is appreciated!

Thanks

Fr0dders · 12 Feb 2007 at 11:02

what sort of kit are you using

Home Networking kit will just enable the DMZ full port access

Proper Professional networking stuff will enable DMZ PC's acess to the net, but not the internal network, and work a bit like a separate subnet, but more complicated and more importantly, much more secure.

The_KiD · 12 Feb 2007 at 11:06

It is professional kit, a Cisco PIX firewall.

However I not so much after the configuration, but more an overview of how it would work.

Networking and security are not my strongest points.

Fr0dders · 12 Feb 2007 at 11:07

http://www.firewall.cx/dmz.php

The_KiD · 13 Feb 2007 at 14:08

Am I being ripped off?

ok a little advice needed here.

Basically we have a managed firewall from a company.

Our internet connection comes in VIA their data centre, then down a 10Mb leased line to us.

I need this DMZ created on the managed firewall and they are saying that it is 2 days work and chargeable at £1100/day

Can anyone who works for a networking or managed services company tell me if I am crazy in thinking this is extortionate for what I imagine to be some rule changes based on the PIX firewall.

ruffneck · 13 Feb 2007 at 14:16

don;t you also need a spare external IP address aswell?

The_KiD · 13 Feb 2007 at 14:21

We have 5 spare one's on that connection.

We also already pay this company close £4K/month for services with them.

Chief Wiggum · 13 Feb 2007 at 21:10

Hmmm, seems a bit steep really. I think about a day's work at the most.

Enabling an interface and setting up the Subnet. NATting the Server IP to an external IP (if it's done at your firewall - if not it'll be done at a firewall further up-stream) - then I count 5-6 rules

1. Outside (the net connection) ANY to DMZ Server TCP 80
2. Outside ANY to DMZ Server TCP 443 (if you want HTTPS)
3. DMZ Server to Inside (your LAN) Host running the Backend DB (poss TCP 1521 for SQL*Net)
4. Inside ANY to DMZ Server TCP 80
5. Inside ANY to DMZ Server TCP 443
6. Inside ANY (or range) to DMZ Server TCP 21 (for FTP updates to the server)

Maybe adding some routing within their network too. I've done more than that in a day....

Can't you ask them for some changes to be made under your existing support and maintenance contract? - I know that's the case with some seperatly managed firewalls that I've had to make changes on.

Kev