Usually a DMZ is used to be sure that hosts in that subnetwork cannot start new connections to outside world. Obviously that there are some exceptions, like SMTP. For example, is it necessary that the Web server that sits on the DMZ opening new tcp/80 connections to Internet? It seems that the Code Red worm should never spread if so simple cautions were deployed. "Good" hackers know the bugs and exploits at least 10 to 15 days in advance. It's quite impossible to maintain a system 100% updated. This simple practice (using a DMZ) avoids this type of attacks. Either if an external host compromise your host, they cannot be used to start attacks to others, spreading the malicious code. This restrictive policy applied to DMZ cannot be used to internal hosts (fw clients), where you let open a great variety of services from the inside network to outside. -----Original Message----- From: Guinn Unger [mailto:geunger@xxxxxxxxxxxxx] Sent: segunda-feira, 30 de julho de 2001 23:44 To: [ISAserver.org Discussion List] Subject: [isalist] Re: IP Addresses on DMZ http://www.ISAserver.org I have read a good bit of this material, but it gets rather overwhelming pretty quickly. So suppose we step back 10 paces and ask ourselves what we really want. My ultimate goal is to have internet access, publish one or two web servers, publish an Exchange server, and have VPN access both from our desktops to outside sites and from outside to our network. From what I had read, it seemed like a DMZ would be a good solution, but I'm beginning to wonder. If I go back to our ISP and ask for a bigger block of IP addresses I feel pretty certain they are going to balk. They seemed very reluctant to give us the eight that they did. (It also seems like we are using IP addresses pretty inefficiently if I need more than 8 public IP addresses to publish three servers. Oh, well.) How much of a security risk would it really be to have our web servers and Exchange server on our private network? Does the DMZ really offer that much extra security? If we keep up with security patches and such, do we really need the DMZ? I can't imagine that we have very much that anybody would want on our network except to take over a server for DOS attacks or something similar. Does that make sense? Again, thanks in advance for the help. Guinn -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Monday, July 30, 2001 7:40 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: IP Addresses on DMZ http://www.ISAserver.org One problem you have is that with 6 IP's, any further subnetting is limited to two functional DMZ IPs; one for the ISA DMZ NIC and one for the DMZ server. There is some general ISA deployment reading you should do before plunging headlong into the abyss that is ISA :-)... http://www.isaserver.org/shinder/tips/getting_started.htm http://www.isaserver.org/shinder/tutorials/secure_nat_client.htm http://www.isaserver.org/shinder/tutorials/designing_an_isa_server_solution_ on_a%20_simple_network.htm http://www.isaserver.org/pages/tutorials/isanetworks.htm http://www.isaserver.org/shinder/tutorials/dmz_scenarios.htm and many more in the "Learning Zone"... Jim Harrison MCP(2K), A+, Network+, PCG ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: Hugo@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')