Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
763
Views
0
Helpful
5
Replies

A beginner Level Q on PIX : Why DMZ interfaces?

nikhil.malhothra
Level 1
Level 1

‎05-26-2006 11:43 AM - edited ‎02-21-2020 12:55 AM

Why do we need DMZ interfaces? A document says that On the DMZ interface, we can install the servers that need to available for the public access and we should configure static nat.

But I can do so on inside interface as well. Then why Security Levels? What is the primary reason for different Security Levels?

Thanks in advance,

Nikh.

0 Helpful
5 Replies 5

mpalardy
Level 3
Level 3

‎05-26-2006 12:24 PM

Hi Nikh,

The main reason for the beeing of a DMZ is to isolate public servers from your internal network.

If the internet access ends to a DMZ, in the scenario of an attack on your web/mail server's, the hacker wont be able to get on your internal network using your DMZ servers - if you have configured your firewall policies properly. The only information this person would have access, is the information you have left on the dmz servers.

We could talk for a long time on securing your perimeter and what's the best practice, but all of this depends on your company ressources, security requirements and confidenciality.

The main questions remains: would you leave the key of your vault to a stranger?

Mike

0 Helpful

nikhil.malhothra
Level 1
Level 1
In response to mpalardy

‎05-29-2006 01:21 AM

Thanks Mike! That helps :-)

0 Helpful

john.king
Level 1
Level 1

‎05-26-2006 02:55 PM

By placing a device in the DMZ you are placing this device outside or your core network so if it is compromised the hacker is still isolated from your internal network. If this device were a windows box and on the inside of your network then the hacker would own your network. By being placed in the DMZ they may compromise the box but your internal network is still secured. The security levels; If I have multiple devices that I want to make available to the internet but each of these devices I feel one may need to be more secure than the next or one may not be aloowed to talk to the other but the other is allowed to talk to it and the internet. Security levels give you control on who can talk to who and who cannot talk to who.

0 Helpful

nikhil.malhothra
Level 1
Level 1
In response to john.king

‎05-29-2006 01:22 AM

Thank you for your response John! Thanks for the help.

Nikh.

0 Helpful

manoj.kv
Level 1
Level 1

‎05-29-2006 02:06 AM

Hi,

Definitely its a matter of security policies. Your public servers like Web and Mail servers are accessible to anyone. If you permit this type of traffic in your internal LAN. There is a security threat. SO its better to isolate this type of traffic from your internal LAN. so you create another pathway and door for this traffic called DMZ. One more interface concept is there called Dirty DMZ Where if you have 4 interfaces. In this case DMZ will assigned for Web and mail servers accessible for internal users from internal network and internet ( may be VPN). Dirty DMZ is for real public servers, which is for anonymous users. Though you can avoid the threat of meeting internal users and external users in a junction.

Hope its helps.

Manoj.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card