Table Of ContentЭлектронная библиотека “Либрус” ( http://librus.ru )
Научно-техническая библиотека электронных книг. Первоначально задуманная
как хранилище компьютерной литературы, в настоящий момент библиотека
содержит книжные издания по различным областям знания (медицинские науки,
техника, гуманитарные науки, домашнее хозяйство, учебная литература и т.д.).
Серьезность научно-технических e-book'ов разбавляет раздел развлекательной
литературы (эротика, комиксы, задачи и головоломки).
Основной целью проекта является ознакомление читателей с многообразием
книгопечатной продукции и помощь в выборе действительно стоящей книги для
приобретения у законных издателей, их представителей или в соответствующих
организациях торговли. Для покупки через Internet мы рекомендуем
воспользоваться услугами интернет-магазина “Озон”.
ВНИМАНИЕ!
Данный файл представлен исключительно в ознакомительных целях!
После ознакомления с данной книгой Вы обязаны удалить ее с Вашего компьютера.
В случае несоблюдения данного обязательства, Вы нарушите закон "Об авторском праве
и смежных правах".
Все авторские права сохраняются за правообладателем. По его требованию доступ к
данному электронному документу будет перекрыт. Однако, таким образом, тысячи
потенциальных покупателей так и не узнают о, возможно, нужной и полезной книге.
Авторам и издательствам
Если Вы заинтересованы в рекламе и продвижении Ваших книг на бескрайних
сетевых просторах мы с удовольствием включим их в наш каталог.
250_DMZ_fm.qxd 6/5/03 2:27 PM Page i
s o l u t i o n s @ s y n g r e s s . c o m
With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco
study guides in print, we continue to look for ways we can better serve the
information needs of our readers. One way we do that is by listening.
Readers like yourself have been telling us they want an Internet-based ser-
vice that would extend and enhance the value of our books. Based on
reader feedback and our own strategic plan, we have created a Web site
that we hope will exceed your expectations.
Solutions@syngress.com is an interactive treasure trove of useful infor-
mation focusing on our book topics and related technologies. The site
offers the following features:
(cid:2) One-year warranty against content obsolescence due to vendor
product upgrades. You can access online updates for any affected
chapters.
(cid:2) “Ask the Author” customer query forms that enable you to post
questions to our authors and editors.
(cid:2) Exclusive monthly mailings in which our experts provide answers to
reader queries and clear explanations of complex material.
(cid:2) Regularly updated links to sites specially selected by our editors for
readers desiring additional reliable information on key topics.
Best of all, the book you’re now holding is your key to this amazing site.
Just go to www.syngress.com/solutions, and keep this book handy when
you register to verify your purchase.
Thank you for giving us the opportunity to serve your needs. And be sure
to let us know if there’s anything else we can do to help you get the
maximum value from your investment. We’re listening.
www.syngress.com/solutions
250_DMZ_fm.qxd 6/5/03 2:27 PM Page ii
250_DMZ_fm.qxd 6/5/03 2:27 PM Page iii
1 YEAR UPGRADE
BUYER PROTECTION PLAN
Building
DMZs
for
Enterprise Networks
Robert J. Shimonski
Will Schmied
Dr. Thomas W. Shinder
Victor Chang
Drew Simonis
Damiano Imperatore
250_DMZ_fm.qxd 6/5/03 2:27 PM Page iv
Syngress Publishing,Inc.,the author(s),and any person or firm involved in the writing,editing,or
production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results
to be obtained from the Work.
There is no guarantee of any kind,expressed or implied,regarding the Work or its contents.The Work
is sold AS IS and WITHOUT WARRANTY.You may have other legal rights,which vary from state
to state.
In no event will Makers be liable to you for damages,including any loss of profits,lost savings,or
other incidental or consequential damages arising out from the Work or its contents.Because some
states do not allow the exclusion or limitation of liability for consequential or incidental damages,the
above limitation may not apply to you.
You should always use reasonable care,including backup and other appropriate precautions,when
working with computers,networks,data,and files.
Syngress Media®,Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author
UPDATE®,”and “Hack Proofing®,”are registered trademarks of Syngress Publishing,Inc.“The
Definition of a Serious Security Library™”,“Mission Critical™,”and “The Only Way to Stop a Hacker
is to Think Like One™”are trademarks of Syngress Publishing,Inc.Brands and product names
mentioned in this book are trademarks or service marks of their respective companies.
KEY SERIAL NUMBER
001 TH3H7GYV43
002 QUCK7T6CVF
003 8BRWN5TX3A
004 Z2FXX3H89Y
005 UJMPT3D33S
006 X6B7NCVER6
007 TH34EPQ2AK
008 9BKMLAZYD7
009 CAN7N3V6FH
010 5BBABY339Z
PUBLISHED BY
Syngress Publishing,Inc.
800 Hingham Street
Rockland,MA 02370
Building DMZs for Enterprise Networks
Copyright © 2003 by Syngress Publishing,Inc.All rights reserved.Printed in the United States of
America.Except as permitted under the Copyright Act of 1976,no part of this publication may be
reproduced or distributed in any form or by any means,or stored in a database or retrieval system,
without the prior written permission of the publisher,with the exception that the program listings
may be entered,stored,and executed in a computer system,but they may not be reproduced for
publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-931836-88-4
Technical Editor:Robert J.Shimonski Cover Designer:Michael Kavish
Acquisitions Editor:Jonathan E.Babcock Page Layout and Art by:Patricia Lupien
Indexer:Rich Carlson Copy Editor:Darlene Bordwell
Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada.
250_DMZ_fm.qxd 6/5/03 2:27 PM Page v
a b o u t i t f a q n e t . c o m
Syngress Publishing is a proud sponsor of itfaqnet.com, one of the
web’s most comprehensive FAQ sites for IT professionals. This is a free ser-
vice that allows users to query over 10,000 FAQs pertaining to Cisco net-
working, Microsoft networking. Network security tools, .NET development,
Wireless technology, IP Telephony, Storage Area Networking, Java develop-
ment and much more. The content on itfaqnet.com is all derived from our
hundreds of market proven books, written and reviewed by content
experts.
So bookmark ITFAQnet.com as your first stop for mission critical advice
from the industry’s leading experts.
www.itfaqnet.com
250_DMZ_fm.qxd 6/5/03 2:27 PM Page vi
Acknowledgments
We would like to acknowledge the following people for their kindness and
support in making this book possible.
Karen Cross,Meaghan Cunningham,Kim Wylie,Harry Kirchner,Kevin
Votel,Kent Anderson,Frida Yara,Jon Mayes,John Mesjak,Peg O’Donnell,
Sandra Patterson,Betty Redmond,Roy Remer,Ron Shapiro,Patricia Kelly,
Kristin Keith,Jennifer Pascal,Doug Reil,David Dahl,Janis Carpenter,and
Susan Fryer of Publishers Group West for sharing their incredible marketing
experience and expertise.
The incredibly hard working team at Elsevier Science,including Jonathan
Bunkell,AnnHelen Lindeholm,Duncan Enright,David Burton,Rosanna
Ramacciotti,Robert Fairbrother,Miguel Sanchez,Klaus Beran,and Rosie
Moss for making certain that our vision remains worldwide in scope.
David Buckland,Wendi Wong,Daniel Loh,Marie Chieng,Lucy Chong,
Leslie Lim,Audrey Gan,and Joseph Chan of STP Distributors for the enthu-
siasm with which they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Jackie Gross,Gayle Voycey,Alexia Penny,Anik Robitaille,Craig Siddall,
Darlene Morrow,Iolanda Miller,Jane Mackay,and Marie Skelly at Jackie
Gross & Associates for all their help and enthusiasm representing our product
in Canada.
Lois Fraser,Connie McMenemy,Shannon Russell,and the rest of the great
folks at Jaguar Book Group for their help with distribution of Syngress books
in Canada.
David Scott,Tricia Wilden,Marilla Burgess,Annette Scott,Geoff Ebbs,
Hedley Partis,Bec Lowe,and Mark Langley of Woodslane for distributing our
books throughout Australia,New Zealand,Papua New Guinea,Fiji Tonga,
Solomon Islands,and the Cook Islands.
Winston Lim of Global Publishing for his help and support with distribution
of Syngress books in the Philippines.
250_DMZ_fm.qxd 6/5/03 2:27 PM Page vii
Contributors
Thomas W. Shinder M.D. (MVP,MCSE) is a computing industry vet-
eran who has worked as a trainer,writer,and a consultant for Fortune 500
companies including FINA Oil,Lucent Technologies,and Sealand
Container Corporation.Tom was a Series Editor of the Syngress/Osborne
Series of Windows 2000 Certification Study Guides and is author of the
best selling books Configuring ISA Server 2000:Building Firewalls with
Windows 2000 (Syngress Publishing,ISBN:1-928994-29-6) and Dr.Tom
Shinder's ISA Server & Beyond (ISBN:1-931836-66-3).Tom is the editor
of the Brainbuzz.com Win2k News newsletter and is a regular contributor
to TechProGuild.He is also content editor,contributor,and moderator for
the World's leading site on ISA Server 2000,www.isaserver.org.Microsoft
recognized Tom's leadership in the ISA Server community and awarded
him their Most Valued Professional (MVP) award in December of 2001.
Will Schmied (BSET,MCSE,CWNA,TICSA,MCSA,Security+,
Network+,A+) is the President of Area 51 Partners,Inc.,a provider of
wired and wireless networking implementation and security services to
businesses in the Hampton Roads,VA area.Will holds a bachelors degree
in mechanical engineering technology from Old Dominion University in
addition to his various IT industry certifications and is a member of the
IEEE and ISSA.Will has previously authored or contributed to several
other publications by Syngress Publishing including Implementing and
Administering Security in a Microsoft Windows 2000 Network Study Guide and
DVD Training System (Exam 70-214) (ISBN:1-931836-84-1), Security+
Study Guide & DVD Training System (ISBN:1-931836-72-8),and
Configuring and Troubleshooting Windows XP Professional
(ISBN:1-928994-80-6).
Will lives in Newport News,Virginia with his wife,Chris,and their
children Christopher,Austin,Andrea,and Hannah.Will would like to
thank his family for believing in him and giving him the support and
encouragement he needed during all of those late nights in “the lab.”Will
vii
250_DMZ_fm.qxd 6/5/03 2:27 PM Page viii
would also like to say thanks to the entire team of professionals at
Syngress Publishing—you make being an author easy.Special thanks to
Jon Babcock for having a sense of humor that never seems to go out of
style.
Norris L. Johnson, Jr. (Security+,MCSA,MCSE,CTT+,A+,Linux+,
Network +,CCNA) is a technology trainer and owner of a consulting
company in the Seattle-Tacoma area.His consultancies have included
deployments and security planning for local firms and public agencies,as
well as providing services to other local computer firms in need of
problem solving and solutions for their clients.He specializes in Windows
NT 4.0,Windows 2000 and Windows XP issues,providing consultation
and implementation for networks,security planning,and services.In addi-
tion to consulting work,Norris provides technical training for clients and
teaches for area community and technical colleges.He is co-author of
Security+ Study Guide & DVD Training System (Syngress Publishing,ISBN:
1-931836-72-8),Configuring and Troubleshooting Windows XP Professional
(ISBN:1-928994-80-6),and Hack Proofing Your Network,Second Edition
(ISBN:1-928994-70-9).Norris has also performed technical edits and
reviews on Hack Proofing Windows 2000 Server (ISBN:1-931836-49-3)
and Windows 2000 Active Directory,Second Edition (ISBN:1-928994-60-1).
Norris holds a bachelor’s degree from Washington State University.He is
deeply appreciative of the support of his wife,Cindy,and three sons in
helping to maintain his focus and efforts toward computer training and
education.
Michael Sweeney (CCNA,CCDA,CCNP,MCSE) is the owner of the
network consulting firm Packetattack.com. His specialties are network
design,network troubleshooting,wireless network design,security,and
network analysis using NAI Sniffer and Airmagnet for wireless network
analysis.Michael’s prior published works include Cisco Security Specialist’s
Guide to PIX Firewalls (Syngress Publishing,ISBN:1-931836-63-9).
viii
