I am looking for resources on how to set up a DMZ without the use of a hardware firewall. I am mostly in need on the necessary access lists for the internal and external routers. Many thanks in advance.

yes , you can achieve the same result using access lists by permiting some kind of traffic to the specified host, but access list is not secure as a dedicated firewall.

give more info if u can

I would like all the access lists that would be needed to make the DMZ as secure as possible.

Hi,

What sort off access do you need from the internet/inside to the DMZ and vice versa?

If I see correctly in the diagram(PS! What application you use for the drawing???) you have an 1800 router.

Does it have the firewall feature set?
That has some good firewall features if you have the correct IOS, coupled with access-lists should be no problem.

Let us know!

Rob

ok ,

1-do u want to allow access from the private network to the outside or only to the DMZ?

2-are there any special services u need to allow like http,telnet,etc in the DMZ?

access-list 1 deny any

_________________
Find networking-forum.com on Facebook, LinkedIn, Twitter, Google+,or subscribe to the site's RSS feeds.

Cant get any more secured than that!

steve finished it totally secured

I've found a very helpfull article which pretty much gives me everything I need to know.

http://my.execpc.com/~keithp/dmz.htm

Looks good to me. What do you guys think?

well done , thats exactly your case.

but again access lists can be tricked by experinced hackers so its not for securing your network its only for traffic management.

what do u think guys?

I agree, to secure the DMZ like this would be nigh on impossible but as long as the internal LAN is secure via the Proxy Server, it's a risk you have to take. My only alternative is to have a tri-homed Proxy Server and let ISA Server foward DMZ, LAN and Internet traffic accordingly. Does anyone here have any experience with this?

Uhh, WTF?

Maybe I'm off base here, but by definition a DMZ in UNSECURE, hence the need for it. A DMZ is someplace you allow untrsuted people to do untrusted things. You then properly firewall after (or before, or whatever angle you happen to be looking from) that as it enters the rest of your network.

I realize I'm most likely being too literal here, but my point is don't fool yourself to thinking you have DMZ that is even remotely secure.