On Sun, 6 Feb 2000, Mikael Olsson wrote:
> Merton Campbell Crockett wrote:
> >
> > Personally, I find the external router as a nice place to deal with those
> > services that I am absolutely not going to support.
>
> Am I the only one on this list who thinks that a "classic"
> DMZ with public servers between the firewall and the Internet
> router is a Bad Idea(tm)? (Seeing the amount of people
> recommending this approach over the 3rd NIC approach, it
> would seem so.)
I don't recall mentioning anything about installing public servers on the
external DMZ. Typically, the only systems that I permit to be attached to
the external DMZ are firewalls or "hardened" monitoring systems.
> To me, it seems that you're just making it a lot easier for
> attackers to steal connections between the internal network
> and the Internet, and being PITAs in general. I personally
> feel alot safer to have public hosts on a 3rd NIC.
I don't allow any public hosts as they constitute a risk. I allow publicly-
accessible services through a firewall designed to provide that service as
opposed to providing it through a general-purpose firewall.
Even with special-purpose firewalls, the access to the public service is
through a second system on the inside edge of the internal DMZ. It's never
directly to the system providing the public service.
Personally, I would only consider using the third NIC on a firewall that is
on the inside edge of the internal DMZ. The only thing that I would use the
third NIC at the boundary between the external and internal DMZ is to create
a "honeypot".
Merton Campbell Crockett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
