On 27 Jul 99, at 8:22, HOFMAN, Mark wrote:
> sorry I'd have to disagree a split DNS is a must, but it would make more
> sense on the external interface as form most firewalls the DMZ is regarded
> as an internal interface.
Obviously I don't want to service external DNS requests from an internal
host, but I also see a lot of exploits targeted against DNS, and taking out a
DNS server might constitute a form of DoS against the site as a whole. So I
want *some* protection of that outer DNS too -- the DMZ seems to me the right
place for it.
[I recall a long thread from a few months back wrangling over the proper
definition of "DMZ", and it's possible that you and I are using different
definitions.]
> As for the proxy you could put it there, however you will find that you
> will have to set up rules on the firewall that allow traffic to the proxy
> (through the firewall) and rules to allow it from the proxy out (through
> the firewall) so you end up with two sets of rules that can easily be
> mixed up. It is easier to put the proxy on the internal side and let the
> firewall direct traffic out to the internet. One set of rules, and one
> location from which outgoing traffic is allowed.
Again, the proxy server becomes an obvious point of attack; I want it
protected from the outside world, but not directly on the internal network.
[Again, we may be differing in definitions, but to me it seems that "two
sets of rules" is the price of having a DMZ, and dodging that means you never
*use* the DMZ for anything.]
It occurs to me that the likelihood of confusing the two rulesets is much
reduced if you use inner and outer firewalls to bracket the DMZ rather than
using a third interface off a single firewall.
David G
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
