Hi Guys,

I need you your advice. Currently i'm building a network infrastructure for our company.

* Network Status: [existing]

ISP --> Cisco Router 2510 --> Wireless Lan [private networks]


* My Plan - Actually my plann is to build a ftp server,file and print server, dns, firewall and other servers for the company.

I heard also from my friends about DMZ. I dont know where to put it how to setup. Any advice!

Note: ALL servers are running Linux and the firewall is freebsd

thanks a lot!

Hello,
The DMZ goes in the private subnet of the firewall.

First off I think it's necessary to establish what servers should be placed on the DMZ. It is often applied to web, ftp, dns, and smtp servers in the cases that I have seen. So the most efficient application of DMZ would be to have a subnet given to the swtich that will be between your servers and your firewall. This way you can just place that whole network on the DMZ. As for setting it up you'll need some books and maybe a network engineering class. j/k j/k. Please don't take any offense.

Have fun!

The DMZ is used to place the Servers that should be accessable from the internet.

If you don`t what any PCs be accessable from the internet you don`t really need a DMZ.

This does not mean that you don`t need a firewall and so on....

So simply buid one of the following:

1. the small alternative

Internet<------>Proxy/with Fire- and Viruswall<---->Switch<----->your Ethernet

2. the saver alternative

Intranet <----> Proxy <---> router <----> switch <----> your Ethernet


BTW:

Proxy and Firewall could be apache with mod_clamav which is working really great!!!

I belive that you will hit a security issue if you follow saavik's advice. Of course the firewall will leave the wide open to the Internet because of the DMZ but you will want local firewalls on those boxes to restrict access to other ports that might be open, protocols, and other stuff that you might want like ICMP. A firewall is a primary source of security between your boxes and the internet so be sure to use them wisely.

The firewall, in most cases, is a router with the DMZ enabled for a particular network. So if this is your setup then you need to create a DMZ.

DMZ or De-Militarized Zone is simply that: a neutral piece of network between the un-trusted internet and the trusted LAN.

What to put in the DMZ? As said before, any publicly accessible servers. No user's workstations or anything with loads of private data.
What defines a DMZ? Simplified answer: the IP adresses. Publicly accessible machines need to have an IP address that is reachable from the internet (ie paid for, registered in your ISP's DNS, etc).
All local LAN machines should - in theory - have non-public IPs, like 192.168.x.x

Firewalls should allow:
-limited access between internet and the DMZ machines (ie only allow the services that the servers are used for, ie allow SMTP traffic if you have a mail server in the DMZ, etc).
-limited access between LAN and DMZ
-as little as possible "incoming" access from internet to your LAN. Some "outgoing" access (ie allowing your LAN computers to surf the internet) may be acceptable.

As for the servers you plan to set up:
File and print servers probably need to be on the private LAN, not in the DMZ.
FTP server may be on the DMZ if it needs to be accessible from outside. Just remember to restrict FTP access.
DNS server should go in the DMZ, I'd say.