DMZ qualified?

itdaddyitdaddy Posts: 2,086Member
Hey guys
we have a asa 5510 and it has a DMZ switch 2950 above it ports 1-8
just curious what makes ports on a switch DMZ qualified? what I mean is
I read the configs and they do not seem special to make them DMZ ports.
unlexx the vlans have to do something with being a DMZ? the descriptions
all say DMZ port and the vlans descriptions say firewallDMZNameofpurpose next to them? but what makes the DMZish? is it the vlans and in inturn the IP addresses routed thru them?

Comments

  • AhriakinAhriakin SupremeNetworkOverlord Posts: 1,800Member
    The term DMZ being applied to your ports is just a 'friendly' naming convention so you can correlate them to intended function. Switches have no functional concept of a DMZ, they do of course have VLANs so all they're really saying is that those ports are part of the VLAN used for hosts intended to be behind that DMZ on the firewall.
    E.g.
    Firewall int G0/2 = nameif DMZ, IP address 10.2.2.1/29
    FW G0/2 -> SW G1/2
    SW G1/2 is in VLAN 100, for handyness sake named FW-DMZ
    4 other hosts are intended to be behind that DMZ so the Ethernet ports for each are conencted to SW G1/3-6 and these interfaces are then placed into VLAN 100. Their default gateway is then set as the FW's interface in that VLAN of 10.2.2.1

    Essentially the DMZ on your firewall is a layer 3+ concept of your intended secure Zone, the VLAN it and it's protected hosts connect to on the Switch is the Layer2 representation of the same Zone.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • Ryan82Ryan82 Posts: 428Member
    It's just an area that has a lower security level than your internal network and higher than the outside area. For instance on an ASA you would possibly set the outside vlan to security-level 0, dmz to security-level 50, and your inside to security-level 100. No communication takes place from a lower security level to a higher unless explicitly defined.
  • Chris:/*Chris:/* Posts: 658Member
    On a side note since you are naming your ports DMZ or related, be careful about distinguishing names that could give intruders information if they penetrated you network. I am not so much talking about ports as actual host names and so forth, I have see that a couple of times.
    Degrees:
    M.S. Information Security and Assurance
    B.S. Computer Science - Summa Cum Laude
    A.A.S. Electronic Systems Technology
  • itdaddyitdaddy Posts: 2,086Member
    thanks guys after furthe study I see the dmz vlan is a public zone and since it could be on and ASA appliance you have the security zones and the only way to access these zones is by zone priority and setting up proper ACLs...I see now and then the ISP gives you a range of public IPS that rest on the DMZ..yep totally cool. I get to see t first hand now being the IT Manager and having access to all this stuff..thanks so much for you input..you guys are awesome..
    it is awesome to see it first hand in a production environment. nothing beats real production setups! way cool..again thank you to all and happy new year my friends :)
Sign In or Register to comment.