I see a lot of DMZ mentions when talking about NethSecurity.
AFAIK, this DMZ only allows for the simplified, in my opinion pseudo DMZ, in Wikipedia called a single Firewall DMZ, compared to the true DMZ, “Dual firewall DMZ”.
Single Firewall
Dual Firewall
Gotchas with the single firewall:
All traffic must pass twice through the firewall, effectively halving it’s throughput.
Most keep silent about how DMZ hosts are backuped. Do they access the NAS on the LAN for this? And how? A Backup MUST be available in the DMZ, or “Pull” Backups from internel LAN. Any access from DMZ to LAN resources would be violating any DMZ concepts!
Any information or concepts from the devs about this?
Would be interesting to know.
In my professional life, I have never planned or set up such a single firewall DMZ…
I do think this concept stems in part from the abundance of IP adresses allocated to the US. In earlier days, every Internet subscription had a whole class of IPs to use - these were then allocated to the DMZ, without any NAT. NAT was used by internal clients accessing DMZ placed hosts (No DMZ Host, that’s all fake security!).
Using anything like a true DMZ is quite cost intensive, even when using virtualization. The DMZ needs Proxmox PVE servers for virtualization, but also at least a PBS in the DMZ to accept the Backups. Another PBS in the LAN “fetches” the uncompromised Backups from the DMZ-PBS and stores them for long term in the LAN and Off-Site.
A DMZ is just another zone/network and for sure NethSecurity can handle it, no matter if single or double firewall.
The advantage of a single firewall is for example easier management as you just manage 1 device instead of 2.
For sure a single firewall managing more interfaces needs more performance.
I don’t think so, on a single firewall for example outbound traffic goes just from LAN to WAN. It’s not LAN to DMZ and DMZ to WAN. It’s not needed because the traffic is under control and loggable.
I think that’s too strict.
You could allow a specific DMZ web server to write a backup to a specific NAS in the LAN.
Another example would be to have a PBS in the DMZ for web server VM backups and allow syncing it to a PBS in the LAN.
I don’t know why you’re attacking me like that.
It was just an example. You can also pull the backups if you like but for both cases you need to allow it on the single firewall.
The DMZ concept doesn’t mean that firewall rules between DMZ and LAN are not allowed.
I think you know me too well, I’m not attacking you personally, I’ld really like for people here to be able to make an informed choice about the multiple facets of DMZ, and choose the right solution for themselves.
Just using a “DMZ” doesn’t mean a panacea for all issues security may bring…
Restricting the term DMZ to a single firewall image, is not providing enough information.
