hi ...
just my $0.02 worth...
>
> Would it be better to put it out on the DMZ or to run two DMZ's?
>
> I'd think it would be better to run two firewalls. Something like:
>
> Router/Firewall
> |
> DMZ
> |
> Firewall ---- ADSL machine -- Router/Firewall -- ADSL
> |
> Internal Network
dmz machines are endpoints... it shouldn't pass traffic to internal
lans and firewalls
If time and cost and maintenance and skills was more of an issue ...
I'd propose a simpler solution for some personal networks
internet
|
|
adsl router/firewall ( hardware version ? )
|
f i r e w a l l ( ipchians etc )
| |
dmz internal lan
192.168.x 10.0.1.x
internal lan should NOT allow incoming traffic to the internal lan
yes... if they hack into the firewall you're hosed... but you're
hosed anyway if they get into any firewall... cause if they get into
one... they can probably get into the 2nd one that is also misconfigured???
to harden a firewall can easily take a day of work and testing
and backups prior to going online.....
though its time well spent... not all does spend the time ???
( time vs risk vs skills vs costs vs who-is-attacking )
have fun linuxing
alvin
> That way, if a computer in your regular DMZ was compromised, the ADSL machine
> would be protected by the company firewall and vice versa.
>
> Furthermore, very restricted access rules could be set down at the
> firewalls for access
> to the ADSL machine. For example, the Router/Firewall on the ADSL side should
> probably block all incoming traffic.
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
