With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco
study guides in print, we continue to look for ways we can better serve the
information needs of our readers. One way we do that is by listening.
Readers like yourself have been telling us they want an Internet-based ser-
vice that would extend and enhance the value of our books. Based on
reader feedback and our own strategic plan, we have created a Web site
that we hope will exceed your expectations.
is an interactive treasure trove of useful infor-
mation focusing on our book topics and related technologies. The site
offers the following features:
■
One-year warranty against content obsolescence due to vendor
product upgrades. You can access online updates for any affected
chapters.
■
“Ask the Author” customer query forms that enable you to post
questions to our authors and editors.
■
Exclusive monthly mailings in which our experts provide answers to
reader queries and clear explanations of complex material.
■
Regularly updated links to sites specially selected by our editors for
readers desiring additional reliable information on key topics.
Best of all, the book you’re now holding is your key to this amazing site.
Just go to www.syngress.com/solutions, and keep this book handy when
you register to verify your purchase.
Thank you for giving us the opportunity to serve your needs. And be sure
to let us know if there’s anything else we can do to help you get the
maximum value from your investment. We’re listening.

Definition of a Serious Security Library™”,“Mission Critical™,” and “The Only Way to Stop a Hacker
is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names
mentioned in this book are trademarks or service marks of their respective companies.
KEY SERIAL NUMBER
001 TH3H7GYV43
002 QUCK7T6CVF
003 8BRWN5TX3A
004 Z2FXX3H89Y
005 UJMPT3D33S
006 X6B7NCVER6
007 TH34EPQ2AK
008 9BKMLAZYD7
009 CAN7N3V6FH
010 5BBABY339Z
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Building DMZs for Enterprise Networks
Copyright © 2003 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of
America. Except as permitted under the Copyright Act of 1976, no part of this publication may be
reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings
may be entered, stored, and executed in a computer system, but they may not be reproduced for
publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-931836-88-4
Technical Editor: Robert J. Shimonski Cover Designer: Michael Kavish
Acquisitions Editor: Jonathan E. Babcock Page Layout and Art by: Patricia Lupien

Leslie Lim, Audrey Gan, and Joseph Chan of STP Distributors for the enthu-
siasm with which they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall,
Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie
Gross & Associates for all their help and enthusiasm representing our product
in Canada.
Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great
folks at Jaguar Book Group for their help with distribution of Syngress books
in Canada.
David Scott,Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs,
Hedley Partis, Bec Lowe, and Mark Langley of Woodslane for distributing our
books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga,
Solomon Islands, and the Cook Islands.
Winston Lim of Global Publishing for his help and support with distribution
of Syngress books in the Philippines.
250_DMZ_fm.qxd 6/5/03 2:27 PM Page vi
vii
Contributors
Thomas W. Shinder M.D. (MVP, MCSE) is a computing industry vet-
eran who has worked as a trainer, writer, and a consultant for Fortune 500
companies including FINA Oil, Lucent Technologies, and Sealand
Container Corporation.Tom was a Series Editor of the Syngress/Osborne
Series of Windows 2000 Certification Study Guides and is author of the
best selling books Configuring ISA Server 2000: Building Firewalls with
Windows 2000 (Syngress Publishing, ISBN: 1-928994-29-6) and Dr.Tom
Shinder's ISA Server & Beyond (ISBN: 1-931836-66-3).Tom is the editor
of the Brainbuzz.com Win2k News newsletter and is a regular contributor
to TechProGuild. He is also content editor, contributor, and moderator for
the World's leading site on ISA Server 2000, www.isaserver.org. Microsoft

problem solving and solutions for their clients. He specializes in Windows
NT 4.0, Windows 2000 and Windows XP issues, providing consultation
and implementation for networks, security planning, and services. In addi-
tion to consulting work, Norris provides technical training for clients and
teaches for area community and technical colleges. He is co-author of
Security+ Study Guide & DVD Training System (Syngress Publishing, ISBN:
1-931836-72-8), Configuring and Troubleshooting Windows XP Professional
(ISBN: 1-928994-80-6), and Hack Proofing Your Network, Second Edition
(ISBN: 1-928994-70-9). Norris has also performed technical edits and
reviews on Hack Proofing Windows 2000 Server (ISBN: 1-931836-49-3)
and Windows 2000 Active Directory, Second Edition (ISBN: 1-928994-60-1).
Norris holds a bachelor’s degree from Washington State University. He is
deeply appreciative of the support of his wife, Cindy, and three sons in
helping to maintain his focus and efforts toward computer training and
education.
Michael Sweeney (CCNA, CCDA, CCNP, MCSE) is the owner of the
network consulting firm Packetattack.com. His specialties are network
design, network troubleshooting, wireless network design, security, and
network analysis using NAI Sniffer and Airmagnet for wireless network
analysis. Michael’s prior published works include Cisco Security Specialist’s
Guide to PIX Firewalls (Syngress Publishing, ISBN: 1-931836-63-9).
250_DMZ_fm.qxd 6/5/03 2:27 PM Page viii
ix
Michael is a graduate of the University of California, Irvine, extension
program with a certificate in Communications and Network
Engineering. Michael resides in Orange, CA with his wife Jeanne and
daughter Amanda.
Ido Dubrawsky (CCNA, SCSA) has been working as a UNIX/Network
Administrator for over 10 years. He has experience with a variety of UNIX
operating systems including Solaris, Linux, BSD, HP-UX, AIX, and Ultrix.

New York’s government agencies and large enterprises. Damiano has over
8 years of experience in the data networking field with strengths in
designing, building, and securing large complex enterprise networks. Prior
to Verizon, Damiano worked for the Cendant Corporation as a Lead
Network Architect where he designed, managed and supported Cendant’s
very large global network. At Cendant, he was also tasked with designing
and supporting DMZ infrastructures for several major websites including
Avis Rent-A-Car, Century 21 and websites related to Cendant’s hospi-
tality unit. Damiano holds a bachelor’s degree in Computer Science from
Hofstra University.
Daniel Kligerman (CCSA, CCSE, Extreme Networks GSE, LE) is a
Consulting Analyst with TELUS Enterprise Solutions Inc., where he spe-
cializes in routing, switching, load balancing, and network security in an
Internet hosting environment. Daniel is a contributing author for Check
Point Next Generation Security Administration (Syngress, ISBN: 1-928994-
74-1). A University of Toronto graduate, Daniel holds an honors bach-
elor’s of Science degree in Computer Science, Statistics, and English.
Daniel currently resides in Toronto, Canada. He would like to thank
Robert, Anne, Lorne, and Merita for their support.
Drew Simonis (CCNA, SCSA, SCNA, CCSA, CCSE, IBM CS) is a
Senior Network Security Engineer with the RL Phillips Group, LLC. He
250_DMZ_fm.qxd 6/5/03 2:27 PM Page x
xi
provides senior level security consulting to the United States Navy, working
on large enterprise networks. He considers himself a security generalist,
with a strong background in system administration, Internet application
development, intrusion detection and prevention and response, and penetra-
tion testing. Drew’s background includes a consulting position with Fiderus,
serving as a security architect with AT&T and as a Technical Team Lead
with IBM. Drew has a bachelors degree from the University of South

Technology and worked on accounts ranging from the IRS to AVIS Rent
a Car, and was part of the team that rebuilt the entire Avis worldwide
network infrastructure to include the Core and all remote locations.
Robert maintains a role as a part time technical trainer at a local com-
puter school, teaching classes on networking and systems administration
whenever possible.
Robert is also a part-time author who has worked on over 25 book
projects as both an author and technical editor. He has written and edited
books on a plethora of topics with a strong emphasis on network security.
Robert has designed and worked on several projects dealing with cutting
edge technologies for Syngress Publishing, including the only book dedi-
cated to the Sniffer Pro protocol analyzer. Robert has worked on the fol-
lowing Syngress Publishing titles: Building DMZs for Enterprise Networks
(ISBN: 1-931836-88-4), Security+ Study Guide & DVD Training System
(ISBN: 1-931836-72-8), Sniffer Pro Network Optimization & Troubleshooting
Handbook (ISBN: 1-931836-57-4), Configuring and Troubleshooting Windows
XP Professional (ISBN: 1-928994-80-6), SSCP Study Guide & DVD
Training System (ISBN: 1-931836-80-9), Nokia Network Security Solutions
Technical Editor and Contributor
250_DMZ_fm.qxd 6/5/03 2:27 PM Page xii
xiii
Handbook (ISBN: 1-931836-70-1) and the MCSE Implementing and
Administering Security in a Windows 2000 Network Study Guide & DVD
Training System (ISBN: 1-931836-84-1).
Robert’s specialties include network infrastructure design with the
Cisco product line, systems engineering with Windows 2000/2003
Server, NetWare 6, Red Hat Linux and Apple OSX. Robert’s true love is
network security design and management utilizing products from the
Nokia, Cisco, and Check Point arsenal. Robert is also an advocate of
Network Management and loves to ‘sniff ’ networks with Sniffer-based

Public and Private IP Addressing 28
Ports 29
The OSI Model 30
Identifying Potential Risks from the Internet 31
Using Firewalls to Protect Network Resources 32
250_DMZ_toc.qxd 6/5/03 11:54 AM Page xv
xvi Contents
Using Screened Subnets to Protect Network Resources 32
Securing Public Access to a Screened Subnet 33
Traffic and Security Risks 35
Application Servers in the DMZ 35
Domain Controllers in the DMZ 36
RADIUS-Based Authentication Servers in the DMZ 36
VPN DMZ Design Concepts 36
Advanced Risks 37
Business Partner Connections 37
Extranets 38
Web and FTP Sites 38
E-Commerce Services 39
E-Mail Services 39
Advanced Design Strategies 39
Advanced DMZ Design Concepts 40
Remote Administration Concepts 41
Authentication Design 43
Summary 44
Solutions Fast Track 45
Frequently Asked Questions 47
Chapter 2 Windows 2000 DMZ Design 49
Introduction 50
Introducing Windows 2000 DMZ Security 51

Chapter 3 Sun Solaris DMZ Design 103
Introduction 104
Placement of Servers 104
The Firewall Ruleset 108
The Private Network Rules 108
The Public Network Rules 111
Server Rules 113
System Design 114
Hardware Selection:The Foundation 116
Common DMZ Hardware Requirements 117
Network Hardware Considerations 117
Software Selection:The Structure 118
Popular Firewall Software Packages 119
High Availability of the DMZ Server 120
Host Security Software 121
Other Software Considerations 122
Configuration:The Plumbing and Other Details 123
Disk Layout and Considerations 123
Increasing the Verbosity of Local Auditing 124
Backup Considerations 125
Remote Administration 126
250_DMZ_toc.qxd 6/5/03 11:54 AM Page xvii
xviii Contents
Putting the Puzzle Together 126
Layering Local Security 128
Auditing Local File Permissions 130
Building the Model for Future Use 133
Implementation:The Quick, Dirty Details 135
Media Integrity 135
Physical Host Security 135

Contents xix
Wireless DMZ Examples 174
Wireless LAN Security Best-Practices Checklist 178
Summary 181
Solutions Fast Track 181
Frequently Asked Questions 183
Chapter 5 Firewall Design: Cisco PIX 185
Introduction 186
Basics of the PIX 186
Securing Your Network Perimeters 187
The Cisco Perimeter Security Solution 187
Cisco PIX Versions and Features 192
Cisco PIX Firewalls 192
The Cisco PIX 501 Firewall 192
The Cisco PIX 506E Firewall 193
The Cisco PIX 515E Firewall 194
The Cisco PIX 525 Firewall 196
The Cisco PIX 535 Firewall 197
Cisco Firewall Software 198
The Cisco PIX Device Manager 199
Cisco PIX Firewall Licensing 200
Cisco PIX Firewall Version 6.3 201
PIX Firewall PCI Card Options 202
Making a DMZ and Controlling Traffic 207
Securely Managing the PIX 207
The Console 207
Telnet 208
SSH 209
The PIX Device Manager 210
Authenticating Management Access to the PIX 212

Securing SNMP and NTP 252
PIX Firewall Design and
Configuration Checklist 253
Summary 254
Solutions Fast Track 255
Frequently Asked Questions 257
Chapter 6 Firewall and DMZ Design: Check Point NG 259
Introduction 260
Basics of Check Point NG 260
Stateful Inspection 261
Network Address Translation 261
Management Architecture 262
Securing Your Network Perimeters 262
The Check Point Perimeter Security Solution 262
Configuring Check Point to Secure Network Perimeters 263
Antispoofing 264
250_DMZ_toc.qxd 6/5/03 11:54 AM Page xx
Contents xxi
SmartDefense 266
Stateful Inspection Customization 273
Making a DMZ and Controlling Traffic 275
Configuring the DMZ Interface 275
Configuring Access Rules 277
Configuring Network Address Translation 279
Routing Through Check Point FireWall-1/VPN-1 280
Check Point NG Secure DMZ Checklist 280
Summary 282
Solutions Fast Track 282
Frequently Asked Questions 283
Chapter 7 Firewall and DMZ Design: Nokia Firewall 285

Summary 316
Solutions Fast Track 316
Frequently Asked Questions 319
Chapter 8 Firewall and DMZ Design: ISA Server 2000 321
Introduction 322
Configuring a Trihomed DMZ 322
The Network Layout 324
CLIENTDC 325
ISA 326
Internal Interface 326
External Interface 326
DMZ Interface 326
DMZSMTPRELAY 326
Router 327
Interface #1 (the DMZ Interface) 327
Interface #2 (the Public Interface) 327
Laptop (External Network Client) 327
Configuring the ISA Server 328
Ping Testing the Connections 330
Creating an Inbound ICMP Ping Query
Packet Filter on the ISA Server External Interface 331
Creating an Inbound ICMP Ping Query
Packet Filter to the DMZ Host’s Interface 334
Pinging the ISA Server Interfaces from the DMZ Hosts 337
Creating a Global ICMP Packet Filter for DMZ Hosts 337
Publishing DMZ SMTP Servers 338
Publishing a DMZ SMTP Mail Relay Server 342
Publishing a Web Server 350
Publishing an FTP Server on a Trihomed DMZ Segment 351
How FTP Works 351

Directed Broadcasts 399
Proxy ARP 400
Small Services 400
Finger 401
IP Source Routing 401
Bootp Server 402
Other Security Features 402
Securing the Switch 403
Cisco Switches 404
Catalyst 2950 404
250_DMZ_toc.qxd 6/5/03 11:54 AM Page xxiii
xxiv Contents
Catalyst 3550 405
Catalyst 4500 405
Catalyst 6500 406
Securely Managing Switches 407
Console 408
Telnet 408
SSH 410
HTTP 410
Enable Passwords 410
AAA 411
Syslogs, SNMP, and NTP 412
Security Banner 412
Disabling Unneeded IOS features 412
VLAN Trunking Protocol 413
VLANs 414
Private VLANS 419
Securing Switch Ports 422
IOS Bugs and Security Advisories 424