With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco
study guides in print, we continue to look for ways we can better serve the
information needs of our readers. One way we do that is by listening.
Readers like yourself have been telling us they want an Internet-based ser-
vice that would extend and enhance the value of our books. Based on
reader feedback and our own strategic plan, we have created a Web site
that we hope will exceed your expectations.
is an interactive treasure trove of useful infor-
mation focusing on our book topics and related technologies. The site
offers the following features:
■
One-year warranty against content obsolescence due to vendor
product upgrades. You can access online updates for any affected
chapters.
■
“Ask the Author” customer query forms that enable you to post
questions to our authors and editors.
■
Exclusive monthly mailings in which our experts provide answers to
reader queries and clear explanations of complex material.
■
Regularly updated links to sites specially selected by our editors for
readers desiring additional reliable information on key topics.
Best of all, the book you’re now holding is your key to this amazing site.
Just go to www.syngress.com/solutions, and keep this book handy when
you register to verify your purchase.
Thank you for giving us the opportunity to serve your needs. And be sure
to let us know if there’s anything else we can do to help you get the
maximum value from your investment. We’re listening.

www.syngress.com/solutions
250_DMZ_fm.qxd 6/5/03 2:27 PM Page i
250_DMZ_fm.qxd 6/5/03 2:27 PM Page ii
1 YEAR UPGRADE
BUYER PROTECTION PLAN
Robert J. Shimonski
Will Schmied
Dr. Thomas W. Shinder
Victor Chang
Drew Simonis
Damiano Imperatore
DMZs
for
Building
Enterprise Networks
250_DMZ_fm.qxd 6/5/03 2:27 PM Page iii
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or
production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results
to be obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work
is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state
to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or
other incidental or consequential damages arising out from the Work or its contents. Because some
states do not allow the exclusion or limitation of liability for consequential or incidental damages, the
above limitation may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when
working with computers, networks, data, and files.
Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” “Ask the Author
UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “The

Definition of a Serious Security Library™”,“Mission Critical™,” and “The Only Way to Stop a Hacker
is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names
mentioned in this book are trademarks or service marks of their respective companies.
KEY SERIAL NUMBER
001 TH3H7GYV43
002 QUCK7T6CVF
003 8BRWN5TX3A
004 Z2FXX3H89Y
005 UJMPT3D33S
006 X6B7NCVER6
007 TH34EPQ2AK
008 9BKMLAZYD7
009 CAN7N3V6FH
010 5BBABY339Z
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Building DMZs for Enterprise Networks
Copyright © 2003 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of
America. Except as permitted under the Copyright Act of 1976, no part of this publication may be
reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings
may be entered, stored, and executed in a computer system, but they may not be reproduced for
publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-931836-88-4
Technical Editor: Robert J. Shimonski Cover Designer: Michael Kavish
Acquisitions Editor: Jonathan E. Babcock Page Layout and Art by: Patricia Lupien

Indexer: Rich Carlson Copy Editor: Darlene Bordwell
Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada.
250_DMZ_fm.qxd 6/5/03 2:27 PM Page iv
about itfaqnet.com
Syngress Publishing is a proud sponsor of itfaqnet.com, one of the
web’s most comprehensive FAQ sites for IT professionals. This is a free ser-
vice that allows users to query over 10,000 FAQs pertaining to Cisco net-
working, Microsoft networking. Network security tools, .NET development,
Wireless technology, IP Telephony, Storage Area Networking, Java develop-
ment and much more. The content on itfaqnet.com is all derived from our
hundreds of market proven books, written and reviewed by content
experts.
So bookmark ITFAQnet.com as your first stop for mission critical advice
from the industry’s leading experts.
www.itfaqnet.com
250_DMZ_fm.qxd 6/5/03 2:27 PM Page v
Acknowledgments
We would like to acknowledge the following people for their kindness and
support in making this book possible.
Karen Cross, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin
Votel, Kent Anderson, Frida Yara, Jon Mayes, John Mesjak, Peg O’Donnell,
Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia Kelly,
Kristin Keith, Jennifer Pascal, Doug Reil, David Dahl, Janis Carpenter, and
Susan Fryer of Publishers Group West for sharing their incredible marketing
experience and expertise.
The incredibly hard working team at Elsevier Science, including Jonathan
Bunkell, AnnHelen Lindeholm, Duncan Enright, David Burton, Rosanna
Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, and Rosie
Moss for making certain that our vision remains worldwide in scope.
David Buckland, Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong,

Leslie Lim, Audrey Gan, and Joseph Chan of STP Distributors for the enthu-
siasm with which they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall,
Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie
Gross & Associates for all their help and enthusiasm representing our product
in Canada.
Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great
folks at Jaguar Book Group for their help with distribution of Syngress books
in Canada.
David Scott,Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs,
Hedley Partis, Bec Lowe, and Mark Langley of Woodslane for distributing our
books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga,
Solomon Islands, and the Cook Islands.
Winston Lim of Global Publishing for his help and support with distribution
of Syngress books in the Philippines.
250_DMZ_fm.qxd 6/5/03 2:27 PM Page vi
vii
Contributors
Thomas W. Shinder M.D. (MVP, MCSE) is a computing industry vet-
eran who has worked as a trainer, writer, and a consultant for Fortune 500
companies including FINA Oil, Lucent Technologies, and Sealand
Container Corporation.Tom was a Series Editor of the Syngress/Osborne
Series of Windows 2000 Certification Study Guides and is author of the
best selling books Configuring ISA Server 2000: Building Firewalls with
Windows 2000 (Syngress Publishing, ISBN: 1-928994-29-6) and Dr.Tom
Shinder's ISA Server & Beyond (ISBN: 1-931836-66-3).Tom is the editor
of the Brainbuzz.com Win2k News newsletter and is a regular contributor
to TechProGuild. He is also content editor, contributor, and moderator for
the World's leading site on ISA Server 2000, www.isaserver.org. Microsoft

recognized Tom's leadership in the ISA Server community and awarded
him their Most Valued Professional (MVP) award in December of 2001.
Will Schmied (BSET, MCSE, CWNA,TICSA, MCSA, Security+,
Network+,A+) is the President of Area 51 Partners, Inc., a provider of
wired and wireless networking implementation and security services to
businesses in the Hampton Roads, VA area. Will holds a bachelors degree
in mechanical engineering technology from Old Dominion University in
addition to his various IT industry certifications and is a member of the
IEEE and ISSA. Will has previously authored or contributed to several
other publications by Syngress Publishing including Implementing and
Administering Security in a Microsoft Windows 2000 Network Study Guide and
DVD Training System (Exam 70-214) (ISBN: 1-931836-84-1), Security+
Study Guide & DVD Training System (ISBN: 1-931836-72-8), and
Configuring and Troubleshooting Windows XP Professional
(ISBN: 1-928994-80-6).
Will lives in Newport News, Virginia with his wife, Chris, and their
children Christopher, Austin, Andrea, and Hannah. Will would like to
thank his family for believing in him and giving him the support and
encouragement he needed during all of those late nights in “the lab.” Will
250_DMZ_fm.qxd 6/5/03 2:27 PM Page vii
viii
would also like to say thanks to the entire team of professionals at
Syngress Publishing—you make being an author easy. Special thanks to
Jon Babcock for having a sense of humor that never seems to go out of
style.
Norris L. Johnson, Jr. (Security+, MCSA, MCSE, CTT+, A+, Linux+,
Network +, CCNA) is a technology trainer and owner of a consulting
company in the Seattle-Tacoma area. His consultancies have included
deployments and security planning for local firms and public agencies, as
well as providing services to other local computer firms in need of

problem solving and solutions for their clients. He specializes in Windows
NT 4.0, Windows 2000 and Windows XP issues, providing consultation
and implementation for networks, security planning, and services. In addi-
tion to consulting work, Norris provides technical training for clients and
teaches for area community and technical colleges. He is co-author of
Security+ Study Guide & DVD Training System (Syngress Publishing, ISBN:
1-931836-72-8), Configuring and Troubleshooting Windows XP Professional
(ISBN: 1-928994-80-6), and Hack Proofing Your Network, Second Edition
(ISBN: 1-928994-70-9). Norris has also performed technical edits and
reviews on Hack Proofing Windows 2000 Server (ISBN: 1-931836-49-3)
and Windows 2000 Active Directory, Second Edition (ISBN: 1-928994-60-1).
Norris holds a bachelor’s degree from Washington State University. He is
deeply appreciative of the support of his wife, Cindy, and three sons in
helping to maintain his focus and efforts toward computer training and
education.
Michael Sweeney (CCNA, CCDA, CCNP, MCSE) is the owner of the
network consulting firm Packetattack.com. His specialties are network
design, network troubleshooting, wireless network design, security, and
network analysis using NAI Sniffer and Airmagnet for wireless network
analysis. Michael’s prior published works include Cisco Security Specialist’s
Guide to PIX Firewalls (Syngress Publishing, ISBN: 1-931836-63-9).
250_DMZ_fm.qxd 6/5/03 2:27 PM Page viii
ix
Michael is a graduate of the University of California, Irvine, extension
program with a certificate in Communications and Network
Engineering. Michael resides in Orange, CA with his wife Jeanne and
daughter Amanda.
Ido Dubrawsky (CCNA, SCSA) has been working as a UNIX/Network
Administrator for over 10 years. He has experience with a variety of UNIX
operating systems including Solaris, Linux, BSD, HP-UX, AIX, and Ultrix.

He was previously a member of Cisco’s Secure Consulting Service pro-
viding security posture assessments to Cisco customers and is currently a
member of the SAFE architecture team. Ido has written articles and papers
on topics in network security such as IDS, configuring Solaris virtual pri-
vate networks, and wireless security. Ido is a contributing author for Hack
Proofing Sun Solaris 8 (Syngress, ISBN: 1-928994-44-X) and Hack Proofing
Your Network, Second Edition (ISBN: 1-928994-70-9) When not working on
network security issues or traveling to conferences, Ido spends his free time
with his wife and their children.
Victor Chang (CCSA, CCSE, CCNA CCSE+, NSA) is the Product
Line Support Team Lead for IPSO and Hardware with Nokia. He cur-
rently provides Product Line Escalation Support for the Nokia IP Series
Appliances and assists Product Management in new product development.
Victor lives in Fremont, CA. He would like to thank his parents,Tsun San
and Suh Jiuan Chang, Ricardo and Eva Estevez, as well as the rest of his
family and friends. Without their love and support none of this would
have been possible.
Hal Flynn is a Senior Vulnerability Analyst for Symantec. He is also the
UNIX Focus Area Manager of the SecurityFocus website, and moderator
of the Focus-Sun and Focus-Linux mailing lists. Hal is a Veteran of the
United States Navy, where he served as a Hospital Corpsman with 2nd
250_DMZ_fm.qxd 6/5/03 2:27 PM Page ix
x
Marine Division. He has worked in a wide range of roles such as systems
administration, systems analysis, and consulting in both the commercial
and government environments. Hal lives in Calgary, Alberta, Canada and
is a certified Wreck Diver, Ice Diver, and Rescue Diver.
Damiano Imperatore (CCIE #9407, CCNP, CCNA, CCDA, MCSA)
is a Systems Engineer for Verizon’s Enterprise Solutions Group (ESG).
Damiano is responsible for designing networking solutions for several of

New York’s government agencies and large enterprises. Damiano has over
8 years of experience in the data networking field with strengths in
designing, building, and securing large complex enterprise networks. Prior
to Verizon, Damiano worked for the Cendant Corporation as a Lead
Network Architect where he designed, managed and supported Cendant’s
very large global network. At Cendant, he was also tasked with designing
and supporting DMZ infrastructures for several major websites including
Avis Rent-A-Car, Century 21 and websites related to Cendant’s hospi-
tality unit. Damiano holds a bachelor’s degree in Computer Science from
Hofstra University.
Daniel Kligerman (CCSA, CCSE, Extreme Networks GSE, LE) is a
Consulting Analyst with TELUS Enterprise Solutions Inc., where he spe-
cializes in routing, switching, load balancing, and network security in an
Internet hosting environment. Daniel is a contributing author for Check
Point Next Generation Security Administration (Syngress, ISBN: 1-928994-
74-1). A University of Toronto graduate, Daniel holds an honors bach-
elor’s of Science degree in Computer Science, Statistics, and English.
Daniel currently resides in Toronto, Canada. He would like to thank
Robert, Anne, Lorne, and Merita for their support.
Drew Simonis (CCNA, SCSA, SCNA, CCSA, CCSE, IBM CS) is a
Senior Network Security Engineer with the RL Phillips Group, LLC. He
250_DMZ_fm.qxd 6/5/03 2:27 PM Page x
xi
provides senior level security consulting to the United States Navy, working
on large enterprise networks. He considers himself a security generalist,
with a strong background in system administration, Internet application
development, intrusion detection and prevention and response, and penetra-
tion testing. Drew’s background includes a consulting position with Fiderus,
serving as a security architect with AT&T and as a Technical Team Lead
with IBM. Drew has a bachelors degree from the University of South

Florida and is also a member of American MENSA. Drew has contributed
to several Syngress publications, including the best selling Check Point Next
Generation Security Administration (ISBN: 1-928994-74-1). Drew lives in
Suffolk, VA with his wife Kym and daughters Cailyn and Delany.
Tod Beardsley began geek life in the mid-’80s as a pre-teen Commodore
Vic-20 hacker and BBS sysop in the San Francisco East Bay. Since then, he
has administered several networks of varying scale and flavor, has earned
MCSE and GCIA certifications, and is presently employed at Dell
Computer Corporation in Round Rock,Texas.Tod is Dell’s Subject Matter
Expert for security on the Windows NT/2000 server platform, with a
focus on Dell’s Internet-exposed site operations. In addition to performing
the duties of a paid Windows dork,Tod is a Debian GNU/Linux enthu-
siast, a grader for the GIAC GCIA certification, and holds the esteemed
distinction of 2000’s runner-up Sexiest Geek Alive.
250_DMZ_fm.qxd 6/5/03 2:27 PM Page xi
xii
Robert J. Shimonski (TruSecure TICSA, Cisco CCDP, CCNP,
Symantec SPS, NAI Sniffer SCP, Nortel NNCSS, Microsoft MCSE,
MCP+I, Novell Master CNE, CIP, CIBS, CNS, IWA CWP, DCSE,
Prosoft MCIW, SANS.org GSEC, GCIH, CompTIA Server+, Network+,
Inet+, A+, e-Biz+, Security+, HTI+) is a Lead Network and Security
Engineer for a leading manufacturing company, Danaher Corporation. At
Danaher, Robert is responsible for leading the IT department within his
division into implementing new technologies, standardization, upgrades,
migrations, high-end project planning and designing infrastructure archi-
tecture. Robert is also part of the corporate security team responsible for
setting guidelines and policy for the entire corporation worldwide. In his
role as a Lead Network Engineer, Robert has designed, migrated, and
implemented very large-scale Cisco and Nortel based networks. Robert
has held positions as a Network Architect for Cendant Information

Technology and worked on accounts ranging from the IRS to AVIS Rent
a Car, and was part of the team that rebuilt the entire Avis worldwide
network infrastructure to include the Core and all remote locations.
Robert maintains a role as a part time technical trainer at a local com-
puter school, teaching classes on networking and systems administration
whenever possible.
Robert is also a part-time author who has worked on over 25 book
projects as both an author and technical editor. He has written and edited
books on a plethora of topics with a strong emphasis on network security.
Robert has designed and worked on several projects dealing with cutting
edge technologies for Syngress Publishing, including the only book dedi-
cated to the Sniffer Pro protocol analyzer. Robert has worked on the fol-
lowing Syngress Publishing titles: Building DMZs for Enterprise Networks
(ISBN: 1-931836-88-4), Security+ Study Guide & DVD Training System
(ISBN: 1-931836-72-8), Sniffer Pro Network Optimization & Troubleshooting
Handbook (ISBN: 1-931836-57-4), Configuring and Troubleshooting Windows
XP Professional (ISBN: 1-928994-80-6), SSCP Study Guide & DVD
Training System (ISBN: 1-931836-80-9), Nokia Network Security Solutions
Technical Editor and Contributor
250_DMZ_fm.qxd 6/5/03 2:27 PM Page xii
xiii
Handbook (ISBN: 1-931836-70-1) and the MCSE Implementing and
Administering Security in a Windows 2000 Network Study Guide & DVD
Training System (ISBN: 1-931836-84-1).
Robert’s specialties include network infrastructure design with the
Cisco product line, systems engineering with Windows 2000/2003
Server, NetWare 6, Red Hat Linux and Apple OSX. Robert’s true love is
network security design and management utilizing products from the
Nokia, Cisco, and Check Point arsenal. Robert is also an advocate of
Network Management and loves to ‘sniff ’ networks with Sniffer-based

technologies. When not doing something with computer related tech-
nology, Robert enjoys spending time with Erika, or snowboarding wher-
ever the snow may fall and stick.
250_DMZ_fm.qxd 6/5/03 2:27 PM Page xiii
250_DMZ_fm.qxd 6/5/03 2:27 PM Page xiv
Contents
xv
Foreword xxxi
Chapter 1 DMZ Concepts, Layout, and Conceptual Design 1
Introduction 2
Planning Network Security 2
Security Fundamentals 3
Identifying Risks to Data 6
Identifying Risks to Services 7
Identifying Potential Threats 8
Introducing Common Security Standards 9
Policies, Plans, and Procedures 10
DMZ Definitions and History 12
DMZ Concepts 13
Traffic Flow Concepts 17
Networks With and Without DMZs 21
Pros and Cons of DMZ Basic Designs 22
DMZ Design Fundamentals 24
Why Design Is So Important 25
Designing End-to-End Security for Data
Transmission Between Hosts on the Network 25
Traffic Flow and Protocol Fundamentals 26
DMZ Protocols 26
Designing for Protection in Relation to the Inherent Flaws of
TCP/IPv4 27

Public and Private IP Addressing 28
Ports 29
The OSI Model 30
Identifying Potential Risks from the Internet 31
Using Firewalls to Protect Network Resources 32
250_DMZ_toc.qxd 6/5/03 11:54 AM Page xv
xvi Contents
Using Screened Subnets to Protect Network Resources 32
Securing Public Access to a Screened Subnet 33
Traffic and Security Risks 35
Application Servers in the DMZ 35
Domain Controllers in the DMZ 36
RADIUS-Based Authentication Servers in the DMZ 36
VPN DMZ Design Concepts 36
Advanced Risks 37
Business Partner Connections 37
Extranets 38
Web and FTP Sites 38
E-Commerce Services 39
E-Mail Services 39
Advanced Design Strategies 39
Advanced DMZ Design Concepts 40
Remote Administration Concepts 41
Authentication Design 43
Summary 44
Solutions Fast Track 45
Frequently Asked Questions 47
Chapter 2 Windows 2000 DMZ Design 49
Introduction 50
Introducing Windows 2000 DMZ Security 51

Fundamental Windows 2000 DMZ Design 52
Network Engineering the DMZ 54
Systems-Engineering the DMZ 60
Security Analysis for the DMZ 62
Building a Windows 2000 DMZ 63
Designing the DMZ Windows Style 64
Domain Considerations 64
The Contained Domain Model 66
The Extended Domain Model 67
The Internet Connection 67
Wide Area Network Link 69
DMZ Perimeter Security 75
External Router 75
250_DMZ_toc.qxd 6/5/03 11:54 AM Page xvi
Contents xvii
Firewall 75
Extra DMZ Routers 78
Name Resolution for the DMZ 79
DMZ Mail Services 80
Mail Relay 81
Web Servers 82
External Web Server 82
Designing Windows 2000 DNS in the DMZ 83
External DNS Server 84
Engineering Windows 2000 Traffic in the DMZ 85
Assessing Network Data Visibility Risks 89
Windows 2000 DMZ Design Planning List 92
Summary 94
Solutions Fast Track 95
Frequently Asked Questions 100

Chapter 3 Sun Solaris DMZ Design 103
Introduction 104
Placement of Servers 104
The Firewall Ruleset 108
The Private Network Rules 108
The Public Network Rules 111
Server Rules 113
System Design 114
Hardware Selection:The Foundation 116
Common DMZ Hardware Requirements 117
Network Hardware Considerations 117
Software Selection:The Structure 118
Popular Firewall Software Packages 119
High Availability of the DMZ Server 120
Host Security Software 121
Other Software Considerations 122
Configuration:The Plumbing and Other Details 123
Disk Layout and Considerations 123
Increasing the Verbosity of Local Auditing 124
Backup Considerations 125
Remote Administration 126
250_DMZ_toc.qxd 6/5/03 11:54 AM Page xvii
xviii Contents
Putting the Puzzle Together 126
Layering Local Security 128
Auditing Local File Permissions 130
Building the Model for Future Use 133
Implementation:The Quick, Dirty Details 135
Media Integrity 135
Physical Host Security 135

Host Network Security 136
Patch Application 136
Solaris System Hardening 137
Manual System Hardening 138
Automated System Hardening 143
Hardening Checklists for DMZ Servers and Solaris 145
Summary 147
Solutions Fast Track 148
Frequently Asked Questions 150
Chapter 4 Wireless DMZs 153
Introduction 154
Why Do We Need Wireless DMZs? 156
Passive Attacks on Wireless Networks 156
War Driving 157
Sniffing 160
Active Attacks on Wireless Networks 160
Spoofing (Interception) and Unauthorized Access 161
Denial of Service and Flooding Attacks 164
Man-in-the-Middle Attacks on Wireless Networks 166
Network Hijacking and Modification 166
Jamming Attacks 168
Designing the Wireless DMZ 169
Wireless DMZ Components 171
Access Points 172
Network Adapters 172
RADIUS Servers 173
Enterprise Wireless Gateways and Wireless Gateways 173
Firewalls and Screening Routers 174
Other Segmentation Devices 174
250_DMZ_toc.qxd 6/5/03 11:54 AM Page xviii

Contents xix
Wireless DMZ Examples 174
Wireless LAN Security Best-Practices Checklist 178
Summary 181
Solutions Fast Track 181
Frequently Asked Questions 183
Chapter 5 Firewall Design: Cisco PIX 185
Introduction 186
Basics of the PIX 186
Securing Your Network Perimeters 187
The Cisco Perimeter Security Solution 187
Cisco PIX Versions and Features 192
Cisco PIX Firewalls 192
The Cisco PIX 501 Firewall 192
The Cisco PIX 506E Firewall 193
The Cisco PIX 515E Firewall 194
The Cisco PIX 525 Firewall 196
The Cisco PIX 535 Firewall 197
Cisco Firewall Software 198
The Cisco PIX Device Manager 199
Cisco PIX Firewall Licensing 200
Cisco PIX Firewall Version 6.3 201
PIX Firewall PCI Card Options 202
Making a DMZ and Controlling Traffic 207
Securely Managing the PIX 207
The Console 207
Telnet 208
SSH 209
The PIX Device Manager 210
Authenticating Management Access to the PIX 212

PIX Configuration Basics 213
Defining Interfaces 213
Configuring NAT 218
Outbound NAT 220
Inbound NAT 225
Verifying and Monitoring NAT 229
Configuring Access Rules 229
Creating an Outbound Access Control List 230
250_DMZ_toc.qxd 6/5/03 11:54 AM Page xix
xx Contents
Creating an Inbound Access Control List 232
Creating Turbo ACLs 232
Monitoring ACLs 233
Routing Through the PIX 235
Static Routing 235
Enabling RIP 237
OSPF 238
Configuring Advanced PIX Features 239
The PIX Failover Services 239
What Causes Failover to Occur 240
Failover Requirements 240
Configuring Stateful Failover with a Failover Cable 241
Configuring Stateful LAN-Based Failover 244
Testing and Monitoring Failover 247
Blocking ActiveX and Java 247
URL Filtering 248
Cut-Through Proxy 249
Application Inspection 250
Intrusion Detection 251
FloodGuard, FragGuard, and DNSGuard 251

Securing SNMP and NTP 252
PIX Firewall Design and
Configuration Checklist 253
Summary 254
Solutions Fast Track 255
Frequently Asked Questions 257
Chapter 6 Firewall and DMZ Design: Check Point NG 259
Introduction 260
Basics of Check Point NG 260
Stateful Inspection 261
Network Address Translation 261
Management Architecture 262
Securing Your Network Perimeters 262
The Check Point Perimeter Security Solution 262
Configuring Check Point to Secure Network Perimeters 263
Antispoofing 264
250_DMZ_toc.qxd 6/5/03 11:54 AM Page xx
Contents xxi
SmartDefense 266
Stateful Inspection Customization 273
Making a DMZ and Controlling Traffic 275
Configuring the DMZ Interface 275
Configuring Access Rules 277
Configuring Network Address Translation 279
Routing Through Check Point FireWall-1/VPN-1 280
Check Point NG Secure DMZ Checklist 280
Summary 282
Solutions Fast Track 282
Frequently Asked Questions 283
Chapter 7 Firewall and DMZ Design: Nokia Firewall 285

Introduction 286
Basics of the Nokia Firewall 286
Choosing the Right Platform 287
Nokia IP120 Appliance 287
Nokia IP350/IP380 Platforms 287
Nokia IP530 Platform 288
Nokia IP710/IP740 Platform 289
Configuring the Nokia Appliance 290
Serial Console Access 290
Configuring IPSO Settings 291
Using CLISH 292
Software Installation 294
Securing Your Network Perimeters 296
Plan Ahead 296
Know the Purpose of Your DMZ 297
DMZ Type 297
New or Existing Network 297
Network Plan 297
Time Constraints 298
Available Support Assistance 298
The Nokia Perimeter Security Solution 299
Configuring Check Point FireWall-1
Address Translation Rules 299
Building the DMZ 304
250_DMZ_toc.qxd 6/5/03 11:54 AM Page xxi
xxii Contents
Configuring Check Point FireWall-1 Security and Address
Translation Rules 310
Additional Considerations for Designing a DMZ 311
Nokia Firewall and DMZ Design Checklist 315

Summary 316
Solutions Fast Track 316
Frequently Asked Questions 319
Chapter 8 Firewall and DMZ Design: ISA Server 2000 321
Introduction 322
Configuring a Trihomed DMZ 322
The Network Layout 324
CLIENTDC 325
ISA 326
Internal Interface 326
External Interface 326
DMZ Interface 326
DMZSMTPRELAY 326
Router 327
Interface #1 (the DMZ Interface) 327
Interface #2 (the Public Interface) 327
Laptop (External Network Client) 327
Configuring the ISA Server 328
Ping Testing the Connections 330
Creating an Inbound ICMP Ping Query
Packet Filter on the ISA Server External Interface 331
Creating an Inbound ICMP Ping Query
Packet Filter to the DMZ Host’s Interface 334
Pinging the ISA Server Interfaces from the DMZ Hosts 337
Creating a Global ICMP Packet Filter for DMZ Hosts 337
Publishing DMZ SMTP Servers 338
Publishing a DMZ SMTP Mail Relay Server 342
Publishing a Web Server 350
Publishing an FTP Server on a Trihomed DMZ Segment 351
How FTP Works 351

Normal or PORT or Active Mode FTP 351
Passive or PASV Mode FTP 352
250_DMZ_toc.qxd 6/5/03 11:54 AM Page xxii
Contents xxiii
Challenges Created by the FTP Protocol 353
PORT Mode FTP Client-Side Firewall 354
PORT Mode FTP Server-Side Firewall 354
PASV Mode FTP Client-Side Firewall 355
PASV Mode FTP Client-Side Firewall 356
Using Packet Filters to Publish the PORT Mode
FTP Server 356
Using Packet Filters to Publish the PASV Mode FTP Server 359
Beware the “Allow All” Packet Filter 360
External Network Clients Cannot Use the DMZ Interface to
Connect to the Internal Network 362
Summary 364
Solutions Fast Track 364
Frequently Asked Questions 366
Chapter 9 DMZ Router and Switch Security 369
Introduction 370
Securing the Router 370
Router Placement in a DMZ Environment 370
Border Gateway Protocol 375
Access Control Lists 379
Security Banner 385
Securely Administering the Router 386
Disabling Unneeded IOS features 397
Cisco Discovery Protocol 398
Redirects 398
Unreachables 399

Directed Broadcasts 399
Proxy ARP 400
Small Services 400
Finger 401
IP Source Routing 401
Bootp Server 402
Other Security Features 402
Securing the Switch 403
Cisco Switches 404
Catalyst 2950 404
250_DMZ_toc.qxd 6/5/03 11:54 AM Page xxiii
xxiv Contents
Catalyst 3550 405
Catalyst 4500 405
Catalyst 6500 406
Securely Managing Switches 407
Console 408
Telnet 408
SSH 410
HTTP 410
Enable Passwords 410
AAA 411
Syslogs, SNMP, and NTP 412
Security Banner 412
Disabling Unneeded IOS features 412
VLAN Trunking Protocol 413
VLANs 414
Private VLANS 419
Securing Switch Ports 422
IOS Bugs and Security Advisories 424

DMZ Router and Switch Security Best-Practice Checklists 425
Router Security Checklist 425
Switch Security Checklist 426
Summary 428
Solutions Fast Track 428
Frequently Asked Questions 430
Chapter 10 DMZ-Based VPN Services 433
Introduction 434
VPN Services in the DMZ 434
VPN Deployment Models 435
VPN Termination at the Edge Router 436
VPN Termination at the Corporate Firewall 438
VPN Termination at a Dedicated VPN Appliance 439
Topology Models 440
Meshed Topology 440
Star Topology 441
Hub-and-Spoke Topology 442
Remote Access Topology 442
250_DMZ_toc.qxd 6/5/03 11:54 AM Page xxiv