Mark,
1. If you are looking at just using the router ACLs and not getting
something like a PIX or the IOS firewall stuff then you are going to have
to have a lot of open ports. One way to do this is allow all TCP and UDP
ports above 1024 and deny all TCP and UDP ports below 1024 except specific
ports. This still leaves a pretty big hole. Your best bet would be to get
something with firewall functionality. If you don't have any money to
spend on this you could look at IPFilter, IPFW, IPChains, or any of the
other free firewalls. They can do stuff like this.
2. Your proxy server probably doesn't stop anything so by definition
anything between your router and your proxy server would really be on the
internal network. Here are some ideas for how to set up a dmz.
A. A dmz can be the area between your firewall (or a router with ACLs) and
the Internet. The servers on the dmz are not protected and would
definitely need to be hardened.
B. A dmz can be a third network card on the firewall with a network
hanging off of it.
C. A dmz can be the area between two firewalls.
If you proxy server is multi-homed, is the only machine that can be used to
get to the rest of your network, and doesn't just automatically route all
traffic to the internal network then maybe you could consider the area
between it and the router a dmz. I really think you should get a firewall
to do what you want. It would be easier and probably more secure.
Regards,
Jeffery Gieser
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
