Merton Campbell Crockett wrote:
>
> Personally, I find the external router as a nice place to deal with those
> services that I am absolutely not going to support.
Am I the only one on this list who thinks that a "classic"
DMZ with public servers between the firewall and the Internet
router is a Bad Idea(tm)? (Seeing the amount of people
recommending this approach over the 3rd NIC approach, it
would seem so.)
To me, it seems that you're just making it a lot easier for
attackers to steal connections between the internal network
and the Internet, and being PITAs in general. I personally
feel alot safer to have public hosts on a 3rd NIC.
Heck, if you rely on your border router to "screen" things
for you and do logging, you might aswell disregard all the
logs as corrupted, since they (usually?) pass right past
the very same hosts that might be corrupted (Thinking
ARP spoofing, etc etc etc ...)
Granted, if you can't trust your firewall to be able to provide
"services" to your public hosts on a separate NIC, you might
not want to have these hosts there. But, if this is true,
isn't that kind of a crappy firewall? *flame shield on*
/Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
