Designing and Building Enterprise DMZs

The PIX/ASA is a powerful and versatile tool for securing your network. It can be used to secure your internal network from external parties for example, with Internet connections to third parties and business partners.The PIX/ASA can also be used on the internal network to protect sensitive data, not only from outside parties but also from unauthorized employees or from employees who might have malicious intent.This book focuses on the network perimeter and the DMZ, but some of the same designs and security features can also be used internally.
The PIX/ASA provides the DMZ architect with a variety of design possibilities. In the next section, we go through several design possibilities, including a traditional three-legged fire-wall, a multi-DMZ infrastructure using physical interfaces, a multi-DMZ infrastructure using virtual interfaces, and a dual-firewall DMZ infrastructure using an external and an internal firewall. We also discuss adding firewall redundancy so that a single firewall failure would not bring down the entire infrastructure.
The most commonly implemented DMZ design in many small and medium-sized corporations is the traditional three-legged firewall.This design meets the needs of a site or sites in which internal users require the ability to access the Internet securely as well as send e-mails, access a locally hosted company Web site, or transfer files. Figure 6.1 shows how the traditional three-legged firewall fits into the network.The internal interface of the PIX firewall allows internal users to access both the DMZ and the...