With the rise of firewall applicances and and multi-nic cards many organizations run a collaped DMZ. Obviously the two firewall architecture is a good idea but how many organizations actually pick two different firewall vendors and apply this approach?
--- "Laura A. Robinson" <[EMAIL PROTECTED]> wrote: > I wouldn't oversimplify like that. Collapsed > structure versus two firewalls > is a very debatable topic. Why? Because if I hack > your external firewall > (the firewall itself, not a machine behind it) and > your *separate* internal > firewall is a *different* firewall, all I've done so > far is compromise your > DMZ. If you have a single firewall and there's an > exploit out there for it > that you've not yet patched against or a hack you > don't know about, when I > compromise your firewall I've now potentially > compromised your entire > network. > > With that said, as I steadfastly maintain, a > firewall is merely a speed bump > against a skilled, dedicated intruder. > > Laura > ----- Original Message ----- > From: "Clifford Thurber" > <[EMAIL PROTECTED]> > To: "Laura A. Robinson" <[EMAIL PROTECTED]>; > "Bill Royds" > <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]> > Sent: Thursday, April 04, 2002 4:29 PM > Subject: Re: Basic DMZ Setup Questions... > > > > This was traditionaly the architecture before the > DMZ became collapsed. > > > > At 12:13 PM 4/4/2002 -0500, Laura A. Robinson > wrote: > > >A "true" DMZ may have a firewall between the > Internet and the DMZ, as > well > > >as between the DMZ and the intranet. > > > > > >Laura > > >----- Original Message ----- > > >From: "Bill Royds" <[EMAIL PROTECTED]> > > >To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > >Sent: Wednesday, April 03, 2002 8:11 PM > > >Subject: RE: Basic DMZ Setup Questions... > > > > > > > > >A true MZ is the net between the firewall and the > Internet, not behind a > > >firewall. If this is the case, then you have the > choice of a public > address > > >or a simple 1-1 NAT (IP redirect) set up on your > NAT enabled router. If > your > > >router can handle Port Address Translation, where > it sends the traffic > from > > >a single Internet address to separate servers > depending on destination > port, > > >you can save Internet IP space by using private > addresses. But your > servers > > >are not being protected by your firewall. > > > > > >If it is the more common server segment on a > third NIC of the firewall, > then > > >it can use private address space, either IP > redirect, PAT or full dynamic > > >NAT. But it still would be a good idea to set up > this server segment with > a > > >separate subnet address to ease routing and rule > making on the firewall. > > > > > >-----Original Message----- > > >From: [EMAIL PROTECTED] > > >[mailto:[EMAIL PROTECTED]]On Behalf > Of John S. Strock > > >Sent: Wed April 03 2002 18:26 > > >To: [EMAIL PROTECTED] > > >Subject: Basic DMZ Setup Questions... > > > > > > > > >I have a few questions regarding setting up a > DMZ. Currently our > > >public servers are behind our LAN port on our > Firewall, with only the > > >ports we need opened. I would like to move these > server to the DMZ > > >port of our SonicWall DMZ firewall. My question > is...once I put > > >something in the DMZ, do I need to give it a > different IP address, > > >meaning do I need to change it from an internal > LAN IP to a external > > >WAN IP? Currently, my NAT router handle's that. > And if I do give it a > > >WAN IP, does that mean I take it out of my NAT > table? I plan on using > > >our HP Switch to create 2 VLAN's, one for our LAN > and one for the DMZ > > >Zone (currently our switch is not VLANed and it's > used for our internal > > >LAN). Would this work, is this a good idea? Can > you give me any basic > > >setup ideas/suggestions? > > > > > >Thanks! > > > > > >John > > >_______________________________________________ > > >Firewalls mailing list > > >[EMAIL PROTECTED] > > >http://lists.gnac.net/mailman/listinfo/firewalls > > > > > >_______________________________________________ > > >Firewalls mailing list > > >[EMAIL PROTECTED] > > >http://lists.gnac.net/mailman/listinfo/firewalls > > > > > >_______________________________________________ > > >Firewalls mailing list > > >[EMAIL PROTECTED] > > >http://lists.gnac.net/mailman/listinfo/firewalls > > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
