Greg Bastian wrote:
> I have a subnet I wish to masquerade behind one host, and am in the process
> of installing a new firewall.
>
> What disadvantage do I have by using one machine with 3 NIC's. One to DMZ
> (Web servers, External Email Servers), one to Router to internet, and the
> last masquerading my internal network.
>
> My other thought was to have this configuration (without the masqeuraded
> NIC) , and have another tightly configured machine on the internal network
> do the masquerading.
The second option will, in theory, be more secure, especially if you run
different OS's on the different router machines (For example, Linux on
outside, OpenBSD on inside), as it will prove harder for a cracker to
tunnel through on the back of one security hole. IE if an exploit comes
up for one OS, it is less likely to exist on the other, and so you only
loose one part of your security whilst having time to find a patch... in
the single machine option if the machine has access gained to it then
the immediatly have access to your entire network, and as this is the
main external point of access, this is the machine most likely to be
attacked. Also, by doing packet filtering on the outside router/firewall
you will lessen the chance of exploits being applied to the inside firewall.
(The setup I am talking about would look like this:
Internet ---- Outside Firewall ---- DMZ ---- Inside Firewall ----
NAT/Masqueraded Internal Network
)
d.
--
Dorian Moore is property of Kleber Design Ltd. If found please contact Kleber
by phone on +44 207 581 1362 or visit http://www.kleber.net for further details.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
