PIX 515-e and DMZ a webserver

[marcello696]

I am the new network admin at my company but I dont run the PIX firewall (I will soon) I've been tasked to build a new Windows 2003 server to run a web server. The dev guys want it on the DMZ and internal acces via port 1433 for SQL. I talked to the person that runs the firewall and she told me I'd need to add a new card to the firewall. Is this really needed?? I'd assume I could create a static IP address for the server on a new subnet and DMZ it that way. Can anyone provide additional advice?

 

[dopehead]

Depends, it is always a good idea to keep systems seperate on different dmz's, or at least do a private vlan switch setup on a single dmz. This minimizes chances of trust exploitation attacks or sniffing in dmzs in general.

The firewall might not have any more netcards available.

Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[marcello696]

ok there is my confusion what exactly is a netcard?? Is it an ethernet interface on the actual PIX firewall?? Currently it has two ports so a 3rd will be needed for a DMZ webserver? thanks for the response

 

[dx1]

If you want to have a DMZ, you will need another interface. She is referring to a PIX-1FE. If you have an old Intel card laying around, you could possibly use it....depending on the chipset. Do so at your own risk. I personally would just buy the card....not that expensive.