Most often one will harden the exposed hosts on the DMZ, and likely put
them behind a filtering router to give an added layer of 'protection'.
Thanks,
Ron DuFresne
On Wed, 3 May 2000, Aza Goudriaan wrote:
> In a 'security improvement module' about deploying firewalls
> (http://www.sei.cmu.edu/pub/documents/sims/pdf/sim008.pdf or in HTML:
> http://www.cert.org/security-improvement/modules/m08.html), several
> different architectures for placing a firewall are given. In this document
> they are speaking about a untrustworthy host, which is a host that isn't
> protected by the firewall. Therefore, hosts on the private network (behind
> the firewall) can place only limited trust in it.
> I think that kind of hosts are web servers, mail servers and ftp servers.
>
> The people who have written this document, advise this architecture when
> using a single firewall:
>
> priv. network --- firewall ----- untrustw. host ----- internet
>
> They motivate their choice with the statement that when the untrustw. host
> has been compromised, intruders don't have access to your network. I agree,
> but your public host isn't really secured. In my opinion it is better to
> place the public host behind the firewall and then create rules to access
> that system from internet (static NAT, e.g.), and / or use a reverse proxy.
>
> What is your opinion about it?
>
> TIA.
>
> Kind regards,
> Aza Goudriaan.
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
