> You can only protect against hosts on one side of the firewall
> trying to spoof as hosts known to be on another side of the
> firewall.
Except of course in the case that you have the situation:
SSL or some other stream
____db server--------|
| ____app server
| |
INTint-------------DMZ
------------EXTint ------Inet
And the spoofing attempt circumvents any protection provided by machines on
the
DMZ to themselves (ACLs, wrappers, etc...), and one is compromised. Most
firewalls
should be able to recognize spoofed packets from the DMZ over the "SSL
or..." connection,
and reject them, packet filtering, stateful inspection, or otherwise. This
scenario is all
too common in ecommerce environments where machines on the DMZ have access
to machines on INTint (protected network). In the case of this event, the
firewall is pretty
much your last hope, and if it can't recognize spoofed packets from DMZ -->
INTint,
You're VERYsol. :-)
Matt
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
