perimeter network

bighornsheepbighornsheep Member Posts: 1,506
if there is such a network:

| subnet 1 | subnet 2

where | are firewalls.

is subnet 1 the perimeter network? or subnet 2?
Jack of all trades, master of none

Comments

  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Subnet 1 would be the best choice for the DMZ in this case and your internal network would be on Subnet 2. This is because you have a | and a | on both sides of Subnet 1. 1 would be your public facing firewall and the other would be your private facing firewall.

    Internet - | Subnet 1 (DMZ) | Subnet 2 (Private)
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • bighornsheepbighornsheep Member Posts: 1,506
    icroyal wrote:
    Subnet 1 would be the best choice for the DMZ in this case

    I dont mean implementing the perimeter network in above...I mean if the above was shown, and one was asked to identify the perimeter network, which would it be? Would subnet 1 definitely be the perimeter network?
    Jack of all trades, master of none
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Yes, Subnet 1 definitely would be the perimeter network.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • seuss_ssuesseuss_ssues Member Posts: 629
    The type of setup you have described is often called a screened subnet with dual firewalls.

    By having internet | subnet 1 (DMZ) | subnet 2 (internal)
    you are providing alot of protection. Not only must an attacker compromise a single firewall but must pass an additional firewall to get to the less secure internal network. Additionally for added security it is advices to use 2 different devices as the firewalls. Two firewalls are no better than one if they are both susceptible to the same vulnerability. So if you were to properly setup firewall1 and harden your DMZ then properly setup firewall2 it would be extremely difficult to reach the internal network.
  • bighornsheepbighornsheep Member Posts: 1,506
    Thanks, both of your descriptions were very helpful.
    Jack of all trades, master of none
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Additionally for added security it is advices to use 2 different devices as the firewalls.

    Although this could be a nice topic for another thread in the security forums, I just thought I would comment that there are actually 2 trains of thought on this. Most firewall vulnerabilities come not from any inherent flaw in the firewall itself, but rather in the admin misconfiguring the firewall, so having the same firewall on both ends of the screened subnet/dmz tends to make administration easier and less likely to run into a configuration issue.

    But seuss_ssues is correct that many consultants do recommend different firewalls, although that concept is less common now than a few years ago.
    All things are possible, only believe.
Sign In or Register to comment.