Everything behind the firewall, regardless of purpose.
+-------------- eth1 webservers
outside eth0 -----[firewall]
+-------------- eth2 inside
Protect everything, trust noone. Also place a router prior to this to do
ingress filtering.
-j
On Wed, 3 May 2000, Aza Goudriaan wrote:
> In a 'security improvement module' about deploying firewalls
> (http://www.sei.cmu.edu/pub/documents/sims/pdf/sim008.pdf or in HTML:
> http://www.cert.org/security-improvement/modules/m08.html), several
> different architectures for placing a firewall are given. In this document
> they are speaking about a untrustworthy host, which is a host that isn't
> protected by the firewall. Therefore, hosts on the private network (behind
> the firewall) can place only limited trust in it.
> I think that kind of hosts are web servers, mail servers and ftp servers.
>
> The people who have written this document, advise this architecture when
> using a single firewall:
>
> priv. network --- firewall ----- untrustw. host ----- internet
>
> They motivate their choice with the statement that when the untrustw. host
> has been compromised, intruders don't have access to your network. I agree,
> but your public host isn't really secured. In my opinion it is better to
> place the public host behind the firewall and then create rules to access
> that system from internet (static NAT, e.g.), and / or use a reverse proxy.
>
> What is your opinion about it?
>
> TIA.
>
> Kind regards,
> Aza Goudriaan.
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
--
J. Adams http://www.retina.net/~jna
You are supposed to be a consumer, a black hole for goods, advertising and
content. They only want to allocate enough upstream bandwidth for
10,000,000 buy buttons. Producing or sharing information is a subversive
act and will not be tolerated. -anonymous coward on /.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
