In a 'security improvement module' about deploying firewalls
(http://www.sei.cmu.edu/pub/documents/sims/pdf/sim008.pdf or in HTML:
http://www.cert.org/security-improvement/modules/m08.html), several
different architectures for placing a firewall are given. In this document
they are speaking about a untrustworthy host, which is a host that isn't
protected by the firewall. Therefore, hosts on the private network (behind
the firewall) can place only limited trust in it.
I think that kind of hosts are web servers, mail servers and ftp servers.
The people who have written this document, advise this architecture when
using a single firewall:
priv. network --- firewall ----- untrustw. host ----- internet
They motivate their choice with the statement that when the untrustw. host
has been compromised, intruders don't have access to your network. I agree,
but your public host isn't really secured. In my opinion it is better to
place the public host behind the firewall and then create rules to access
that system from internet (static NAT, e.g.), and / or use a reverse proxy.
What is your opinion about it?
TIA.
Kind regards,
Aza Goudriaan.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
