Dmz Planning - D-Link DFL-1600 User Manual

16.1. General
server. For instance, suppose our web server is running on NT that might
be vulnerable to a number of denial-of-service attacks against services, such
as RPC, NetBIOS and SMB. These services are not required for the
operation of HTTP. So we can set rules to block relevant TCP connections
to ports 135, 137, 138, and 139 on that server to reduce the exposure to
denial-of-service attacks.
This solution means that, with a DMZ deployment, there is no direct access
from the Internet into the internal network, and anyone trying to access
resources in DMZ from the Internet would have to pass the firewall's rules.
The setting of the firewall's rules follows one important security principle,
that is, limiting the connections to the
support the services.
16.1.2

DMZ Planning

The utilization of DMZ is a large-scale work, involving segmentation of the
network structure and firewall rule configurations. Therefore, it requires
careful planning to achieve the protection and scalability purposes.
We use a small set of components to illustrate the different approaches of
DMZ planning:
A
A private computer:
A
A
A
Approach 1 – File Server, Database Server, and Client A on Int net; Web
Server on DMZ net.
: The Web server on DMZ net needs to open some ports
on Int net to access the Database Server. If the Web Server is taken
over by intrusion, the Database Server and other components on Int
netmay expose to attacks.
with 3 interfaces: Int net,DMZ net, and Ext net
containing the LAN's private data
containing resources for public web services.
for public connections.
D-Link Firewalls User's Guide
necessary numbers to
129