|
Posted by flamer die.spam@hotmail.com on April 29, 2008, 11:31 pm
If you were Registered and logged in, you could reply and use other advanced thread options > On Apr 28, 9:28=A0pm, "flamer die.s...@hotmail.com"
>
> > are the hosts on the dmz on the same subnet as the protected hosts on
> > the lan? you definately want to use a different subnet off a different
> > router interface, if a machine on your dmz becomes comprised (which is
> > why its on a dmz to begin with) then the attacker can access the
> > machines on your LAN from the machine on the dmz (within the same
> > broadcast domain).
>
> > Have a look athttp://www.parkansky.com/tutorials/dmz.htmfora basic
> > example.
>
> > Flamer.
>
> This is on an asa5510 firewall. =A0So yes it is a different subnet on a
> seperate interface. =A0So - if i give it the access list above then i'm
> thinking that i will still be protected from traffic originating from
> the outside. =A0But that all traffic originating from the inside will
> still be able to go through. =A0Does this hold true for the asa. =A0Thanks=
each interface has a security level, internet =3D 0, lan =3D 100, and dmz
=3D 50 (or somewhere in between). A device on an interface can talk to
anything on an interface with a lower security level (so lan can talk
to anything) but a lower level cannot initiate a connection to a
higher level interface unless permited to do so (by an access list) -
so a host out on the internet can't talk to the lan or dmz.
Note: That is true for the Cisco PIX, I havent done too much with
ASA's and I am guessing the same is true.
But yes your access-list will allow dmz access and will not affect
your LAN access if they are not in the same range.
Flamer.
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map