Why does everyone want to put up another firewall all the time, must be
catch-phrase time in security. As we mentioned, this does not require
another FW unless I misread something here, harden the exposed host and
only allow the inside to connect out to it. It's main purpose is to
gather stuff from an insecure net, and transfer that data inside. It is
hardened only to make it more dificult to comprmise and thus reduce time
required to fix.
How many admins that work on inside networks actually know how to install
even a semi-hardened server these days? Afterall, most incidents happen
behind the firewall...
Thanks,
Ron DuFresne
On Thu, 12 Jul 2001, Eric Johnson wrote:
> At 04:56 PM 7/12/2001 -0700, Alvin Oga wrote:
>
> >hi ...
> >
> >just my $0.02 worth...
> >
> > >
> > > Would it be better to put it out on the DMZ or to run two DMZ's?
> > >
> > > I'd think it would be better to run two firewalls. Something like:
> > >
> > > Router/Firewall
> > > |
> > > DMZ
> > > |
> > > Firewall ---- ADSL machine -- Router/Firewall -- ADSL
> > > |
> > > Internal Network
> >
> >dmz machines are endpoints... it shouldn't pass traffic to internal
> > lans and firewalls
> >
> >
> >If time and cost and maintenance and skills was more of an issue ...
> >I'd propose a simpler solution for some personal networks
> >
> >
> > internet
> > |
> > |
> >adsl router/firewall ( hardware version ? )
> > |
> > f i r e w a l l ( ipchians etc )
> > | |
> > dmz internal lan
> >192.168.x 10.0.1.x
> >
> >internal lan should NOT allow incoming traffic to the internal lan
>
> I have seen diagrams like that, but they make me a bit nervous
> having only a single point of failure to compromise the internal
> network.
>
> But you are right in one respect. Maybe my drawing should have been
> something like this instead:
>
> Router/Firewall -- DMZ
> |
> Firewall ---- ADSL machine -- Router/Firewall -- ADSL
> |
> Internal Network
>
> My understanding of a DMZ is that it is usually one or more
> computers that are hardened and somewhat protected by a
> firewall or a router with ACL lists. I really didn't mean that the
> traffic from the internal network to the internet would pass through
> each computer in the DMZ. Just that the company firewall itself
> is in the DMZ.
>
> Also, in the message that started this, I had the impression that
> they actually have two internet connections. One through their
> ISP for general use and an ADSL connection for limited use.
>
> >yes... if they hack into the firewall you're hosed... but you're
> >hosed anyway if they get into any firewall... cause if they get into
> >one... they can probably get into the 2nd one that is also misconfigured???
>
> Probably. But hopefully by the time they get into one and find out
> there is another to ge through, they will have been discovered and
> actions will be started to keep them from going further.
>
> It is clear that the company LAN requires more serious protection
> than does the DMZ. Ideally, the computers in the DMZ should be
> hardened (it would take a real lunatics put a Windows 95 or 98
> computer there).
>
> In reality, the demands for protection of the DMZ are much different
> from the demands for protection of the internal network. If you use
> a firewall to protect the DMZ instead of ACLs on a router, why not
> use one that is tuned to the job. And for the internal firewall, use
> one tuned to that job.
>
> If you just use one firewall for both, there would seem to be a greater
> chance of misapplying the rules for one side to also apply to the
> other. It would be easy to accidentally permit incoming traffic on
> to the DMZ and the internal network when you really meant to just
> limit traffic to the DMZ.
>
> Of course, a large company might reasonably have a large number of
> firewalls with individual departments in the company firewalled from
> the rest of the company.
>
> Eric Johnson
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
