Cisco Cisco IPS 4360 Sensor 백서
35
Firewall
August 2012 Series
35
Configuring the Web DMZ
Process
The firewall’s demilitarized zone (DMZ) is a portion of the network where,
typically, traffic to and from other parts of the network is tightly restricted.
Organizations place network services in a DMZ for exposure to the Internet.
These servers are typically not allowed to initiate connections to the inside
network, except for specific circumstances.
typically, traffic to and from other parts of the network is tightly restricted.
Organizations place network services in a DMZ for exposure to the Internet.
These servers are typically not allowed to initiate connections to the inside
network, except for specific circumstances.
In this process a DMZ is configured to enable you to host Internet-
accessible web servers to be on site.
accessible web servers to be on site.
The DMZ network is connected to the appliances on the appliances’
GigabitEthernet interface via a VLAN trunk in order to allow the greatest flex-
ibility if new VLANs must be added to connect additional DMZs. The trunk
connects the appliances to a 3750x access-switch stack in order to provide
resiliency. The DMZ VLAN interfaces on the Cisco ASA are each assigned
an IP address that is the default gateway for each of the VLAN subnets. The
DMZ switch only offers Layer-2 switching capability; the DMZ switch’s VLAN
interfaces do not have an IP address assigned, except for one VLAN inter-
face with an IP address for management of the switch.
GigabitEthernet interface via a VLAN trunk in order to allow the greatest flex-
ibility if new VLANs must be added to connect additional DMZs. The trunk
connects the appliances to a 3750x access-switch stack in order to provide
resiliency. The DMZ VLAN interfaces on the Cisco ASA are each assigned
an IP address that is the default gateway for each of the VLAN subnets. The
DMZ switch only offers Layer-2 switching capability; the DMZ switch’s VLAN
interfaces do not have an IP address assigned, except for one VLAN inter-
face with an IP address for management of the switch.
Figure 9 - Web DMZ VLAN topology
3007
DMZ VLAN
Trunk
DMZ
Switches
DMZ
Web
Servers
Distribution
Switches
Cisco ASA
Internet
The number of secure VLANs is arbitrary. The following deployment
illustrates an example of one secured network. If multiple types of hosts
are to be connected in an Internet-facing DMZ, segmenting the DMZ along
functional boundaries may be necessary, particularly because hosts that are
exposed to the Internet are vulnerable to compromise and must not offer a
springboard to other hosts. However, traffic between DMZ VLANs should be
kept to a minimum. Placing servers that must share data on a single VLAN
improves performance and reduces load on network devices.
illustrates an example of one secured network. If multiple types of hosts
are to be connected in an Internet-facing DMZ, segmenting the DMZ along
functional boundaries may be necessary, particularly because hosts that are
exposed to the Internet are vulnerable to compromise and must not offer a
springboard to other hosts. However, traffic between DMZ VLANs should be
kept to a minimum. Placing servers that must share data on a single VLAN
improves performance and reduces load on network devices.
Setting the DMZ connectivity as a VLAN trunk offers the greatest
flexibility.
flexibility.
Tech Tip