At 10:36 21/08/00 -0400, Sumeet Vij wrote:
>Ben,
> What I meant was the proxy server in the DMZ can't open a
> connection to the
>real server inside the firewall. It can only write on a connection that was
>pre-opened by the server inside the firewall.
> The security people seem to think that by not allowing new
> connections to
>come in through the Proxy server, the real server inside the firewall would
>be safe even if the proxy server is compromised. I am not sure how
>convincing the argument is. Please let me know if their assumption is sound.
their assumption is sound and reasonable. unless you find a secure way or you
"accept" the risk, you'd better reject "incoming" connections.
Also, you don't want to have the same level of severity on both hosts, and
if you
allow the dmz host to get to the internl host, then you should be as severe
on the
DMZ as you are for internal hosts, but then you don't need a DMZ!
>Again, if you know of some products/implementations of this, please let me
here I'll second ben and confess that I don't understand the meaning of
your original message.
what exactly do you want to achieve?
do you want people in the public network to access resources in your
internal server?
if so, then copy the files you want to make available on the DMZ server.
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
