16.1. General 129server. For instance, suppose our web server is running on NT that mightbe vulnerable to a number of denial-of-service attacks against services, suchas RPC, NetBIOS and SMB. These services are not required for theoperation of HTTP. So we can set rules to block relevant TCP connectionsto ports 135, 137, 138, and 139 on that server to reduce the exposure todenial-of-service attacks.Summary:This solution means that, with a DMZ deployment, there is no direct accessfrom the Internet into the internal network, and anyone trying to accessresources in DMZ from the Internet would have to pass the firewall’s rules.The setting of the firewall’s rules follows one important security principle,that is, limiting the connections to the minimum necessary numbers tosupport the services.16.1.2 DMZ PlanningThe utilization of DMZ is a large-scale work, involving segmentation of thenetwork structure and firewall rule configurations. Therefore, it requirescareful planning to achieve the protection and scalability purposes.We use a small set of components to illustrate the different approaches ofDMZ planning:• A D-Link firewall with 3 interfaces: Int net,DMZ net, and Ext net• A private computer: Client A• A File Server containing the LAN’s private data• A Database Server containing resources for public web services.• A Web Server for public connections.Approach 1 – File Server, Database Server, and Client A on Int net; WebServer on DMZ net.Drawback : The Web server on DMZ net needs to open some portson Int net to access the Database Server. If the Web Server is takenover by intrusion, the Database Server and other components on Intnetmay expose to attacks.D-Link Firewalls User’s Guide
