Articles

DMZ setup

April 27, 2007 at 07:10:11
Specs: XP, 2Ghz 512MB

I need to setup a DMZ with a Netscreen 5GT firweall. It has three interfaces, trust, untrust and dmz. From all of the stuff that I've found online, the dmz interface IP address is always in a different subnet than the trust interface. Our local network on the trust interface is in the IP range 10.1.1.X.

Do I need to create a new subnet such as 10.1.2.x to put the DMZ in or is there a way to use the current network addressing scheme that we have. I would highly prefer to use a 10.1.1.x IP if possible. I plan on using port forwarding or a MIP to route to the servers in the DMZ.

If there needs to be a new subnet, how would I go about doing that on a Windows 2003 network? This may be too long of an answer for here, but is it very difficult?

Thanks.


See More: DMZ setup

Report •


#1
April 27, 2007 at 07:43:47

If you mean you want that addressing scheme in order for the DMZ network to be on the same subnet as the internal network, you're completely nullifying the entire point of a DMZ. They should be on separate subnets in order for all traffic to go through the netscreen, so you can regulate the traffic back and forth, selecting only the traffic that needs to pass through.

If you mean you just want that number, you need to subnet that address, and make one subnet as the DMZ, and one subnet for the internal LAN.

"Enough, enough bowing down to disillusion!
Hats off & applause to rogues & evolution!
The ripple effect is too good not to mention.
If you’re not affected, you’re not paying attention!"


Report •

#2
April 27, 2007 at 08:41:13

Thanks for the reply. How big of a pain is it to create a new subnet for the dmz? Is that something that I need to do on the netscreen or within the Windows DNS server?

Report •

#3
April 27, 2007 at 08:47:45

I seriously don't intend this to sound mean, but if you don't understand how to implement a subnet, you need outside help for what you're trying to do because you're very likely to make bad decisions about many things related to this issue.

"Enough, enough bowing down to disillusion!
Hats off & applause to rogues & evolution!
The ripple effect is too good not to mention.
If you’re not affected, you’re not paying attention!"


Report •

Related Solutions

#4
April 27, 2007 at 09:06:36

Perhaps, but we have a small network and I think our network is simple enough where I can figure it out. I understand the theory behind subnetting, but actually pushing the buttons to set it up is foreign to me.

Report •

#5
April 27, 2007 at 10:32:38

Dude, if you're asking me how to setup a subnet, and not sure if it should be done on the netscreen or the server, you are completely lacking a fundamental understanding of subnetting.

Not trying to be mean, but I'm trying to help you realize you need professional consultation to do this right.

If you don't want to use this advice, good luck to you, and hopefully whatever you do won't cause the network or services to stop functioning, or you end up with an insecure configuration and pay the price from an attack.

"Enough, enough bowing down to disillusion!
Hats off & applause to rogues & evolution!
The ripple effect is too good not to mention.
If you’re not affected, you’re not paying attention!"


Report •

#6
April 27, 2007 at 11:09:03

you know, the whole point of forums like these are to help eachother with helpful discussion. if he wanted a consultant he would have gone to one.

"i woke up this morning and all of my stuff was stolen and replaced with exact duplicates."


Report •

#7
April 27, 2007 at 11:41:57

"you know, the whole point of forums like these are to help eachother with helpful discussion."

And people often don't know when to seek professional help. Sometimes the best way to help them is to flat out tell them they're in over their heads. He is in serious danger of either screwing up the network or setting up a vulnerable design because he thinks he can do this because he thinks he understands the "theory" of subnetting.

I think I understand the "theory" of cars, but I'm not about to go in and adjust the engine timings, etc. I don't know what I'm doing, and I'd certainly would appreciate it if when asking about it, and it was obvious that I was about to do something horribly wrong that could have very serious consequences, someone would tell me, "hey, you're about to do something very bad, go talk to a professional!"

With all the questions that go along with what he's trying to do, and with the obvious fact that he doesn't know what he's doing when it comes to this, a user forum is not the right venue to get this done correctly. He needs professional advice.

"Enough, enough bowing down to disillusion!
Hats off & applause to rogues & evolution!
The ripple effect is too good not to mention.
If you’re not affected, you’re not paying attention!"


Report •

#8
April 27, 2007 at 12:25:56

Look, I just asked a simple question and wanted to know the answer to it. I don't need your commentary on my skills or lack thereof, "dude". If you don't want to answer it, let someone else. I don't need your know-it-all attitude. I'm just trying to learn. Maybe I will get a consultant, but how is that going to help me understand it? I don't need a response back to this post unless it talks about my original questions.

Ducklips, thanks for sticking up for stupid people like me.


Report •

#9
April 27, 2007 at 13:14:54

"Maybe I will get a consultant, but how is that going to help me understand it?"

You get the right consultant. When I do consulting work, I am very happy and willing to provide not just what to do, but the why's and how's. I'm willing even to have you "drive" and I tell you how to do it as you go through.

However, I don't think I could figure out things like "is a DMZ even the right thing for your network", "what's the best way to implement this for your environment", etc. without being there.

I never said anything about you being stupid. Everyone is ignorant about what they want to learn, or else they'd already know it. I respect your desire to learn, but there's a point where you should not be "learning by doing" if without some supervision it is flat out dangerous.

Going back to the car analogy, even if someone thought they understood the "theory" of how brakes work, do you think it's a good idea the first time someone does a break job on a car they do it without someone who has done it before making sure they're doing it right? Remember, if the breaks fail, someone could get seriously hurt or killed.

In this case, I assume the need for the DMZ is for security reasons. If you do it wrong, you could wind up with servers being hacked, core services not being available, etc. I can tell by what you've posted that you are likely to do something similar to this, and whatever help you could get on this forum still might not help you avoid this. I'd rather not see that happen to you.

For the record, I don't think you're stupid in any way. Stupid implies the inability to learn. Are you knowledgeable enough to pull this off? In my opinion, good chance of not, and the consequences of doing it wrong can be catastrophic, otherwise, doing it wrong isn't a big deal.

I'd rather you learn it AND your network be safe and functioning as it should. I just don't think that's possible in a forum to happen, and it's well worth the money a good consultant would cost you.

If you don't like that advice, fine. Someone else is more than welcome to help you.

"Enough, enough bowing down to disillusion!
Hats off & applause to rogues & evolution!
The ripple effect is too good not to mention.
If you’re not affected, you’re not paying attention!"


Report •


Ask Question