DMZ?

[blubomber]

I am shopping around for a new Gateway/Firewall for my company. One thing that i have noticed is that firewall manufacturers are now offering a DMZ port on the firewall appliance. DMZ is for Demiliterized Zone. And from what i understand, you would hook up your web, mail, and other published servers on you private LAN to this port so that they can be accessible from the internet. And, at the same time, they would be somehow separated from your other servers you want to keep safe. It does sound like a good idea.

When did this DMZ concept first get addapted to firewall appliances (is this something new) and is anyone implementing this type of setup?

Just curious.

[vass0922]

Ya lots of people put up DMZ's to seperate their internet servers from the rest of the server population.

It IS a good idea
The idea is

Internal can see external servers (traffic from internal servers to external allowed), but not vice versa (you can't even ping a internal server from the dmz).

That way if somebody hacks into the box, they can't go much farther than that.
You'd only allow for a VERY minor amount of traffic to go through, ie. for SQL queries or exchange if its an OWA box.
Then of course you limit it to a specific type of traffic as well.

They've been around for awhile, linksys routers typically come with one DMZ option where you can set one IP as a DMZ box ... usually for putting up a game server or something.

[willy_ph]

As vass already noted, linksys routers allow one to DMZ one IP address. This is accomplished through the web-based management software built-in to the router itself.

[wfs]

I'm sure you guys know a he*l of alot more about this than me but I'll throw this out anyway - D-Link and Belkin have the same option. Now I just know what it is for

[Mickwish]

DMZ is a great idea! Got one set up with my IPCop router/firewall. Keeps the internet "open" box out of the LAN, so even if it gets hacked it can only get into that box, nowhere else. Got my web/mail/ftp server on it.

You can set what are called "pinholes" between the DMZ and LAN if you need to, eg for access to a SQL database or something.

Very useful, IMO.

Cheers
Mick