> -----Original Message-----
> From: Ben Nagy [mailto:[EMAIL PROTECTED]]
>
> Actually, at first this looks like lunacy.
>
> Look at where the "DMZ" is - at BEST it's one NIC away from
> the internal
> LAN.
>
<snip stuff about diagram (which I thought was understandable)>
>
>
> This is the classic "screened subnet" architecture from several of The
> Books, however it has a dangling firewall (FW1) towards the
> inside network.
>
> Leaving aside the placement of the DMZ, which should probably
> be as close as
> practical to the OUTSIDE (in otherwords 'netwards of FW2), I
> wonder why they
> have both FW1 and the router next to it?
>
> Surely one of these devices is redundant. What extra security
> can a packet
> screen provide if it's right in front of a firewall - if the
> firewall is
> that insecure then why bother having it?
>
this is a good point, time after time I see this type of configuration at
client sites and have yet to understand the full reasoning behind it - you
are really using a screening router to protect a firewall? Does not make
sense.
The only reason / benefit I can see in this architecture is that by using
the screening router you will tend to filter a lot of 'noise' (i.e. script
kiddies & the like) whilst the Firewall logs will contain more relevant
information - serious stuff, after all if it gets through a properly
configured screening router then chances are it is more than a simple port
scan.
> The only reasonable use I could find for this architecture is
> a "double
> DMZ". I'm not sure why anyone would want such a thing, but it
> would mean
> that you could have DMZ one just netwards of FW1 and DMZ2
> (the Internet DMZ)
> just LANwards of R1. I would probably swap R1 and FW1 to improve speed
> however.
>
> If the level of trust in the Internal LAN were not great, or
> the information
> / resources used in the LAN DMZ were that critical, then I guess this
> architecture could be useful.
I have recommended setups like this for deployment in situations where you
have two (or more) distinct 'Zones Of Trust' between the internal network
and the external network(s) such as eCommerce or Extranets (does anyone else
think this word is pointless). In eCommerce situations there are quite
frequently many DMZs - one where the web servers are located and typically
another (further away from the Internet) where any sensitive stuff occurs.
HTTP is allowed to DMZ1 but only HTTPS is allowed to DMZ2 or some other such
rule.
Anyway just my 0.02c
> From: Shubinsky, Slava [mailto:[EMAIL PROTECTED]]
>
> I've seen an interesting architecture...
>
> Net---FW1----R----FW2---R---Internet
> |
> DMZ
>
> At first this seems to be a tighter security architecture,
> but at a closer look this might be wasteful especially if
> the two firewalls are the same type. Has anyone run
> into something like this? What are the general thoughts?
>
> Thanks!
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
