[EMAIL PROTECTED] wrote:
>
> > Ok. That's better than their being always on. A DMZ for your
> > servers would be safer, but is not necessary.
> >
>
> As soon as I'm able to get DSL, I'll be setting up a DMZ for my servers. A
> question: what are the pros and cons of using a third NIC on my Oxygen box
> for a DMZ to setting up a second Oxygen box and having both internal and
> external firewalls?
Using two seperate firewalls is much better than three nics in one.
1) You would be following "least privilege." The systems only
enough privileges to do what they have to. Either protect
a server or protect your internal network. Each firewall is
responsible for a little.
2) You could be following "defense in depth." You have redundant
systems backing each other up. If one part falls, you still
have the second strongly defended firewall.
3) You'd have two "choke points," giving two very narrow, difficult,
disparate channels the attacker has to go through that are being
watched very carefully by you.
4) You'd have isolated the "weakest link," the server, between
two differnt firewalls.
5) You'd have a failsafe stance, where one firewall could fail,
but you'd have the other, still protecting the network.
6) You'd have reduced the complexity of each firewall, when it
only has two nics. A simple system is easier to deploy, and
it is easier to recognize any inappropriate behavior on it.
7) There's no single vulnerable point that would comprimise
the internal network.
8) If someone comprimises a server on the DMZ with two
two firewalls, the attacker can only sniff the DMZ,
not the sensative internal network.
The preferred method is to use two different hardware systems.
One could be a LEAF, the other a Cisco or FreeBSD. The worst thing
is to use identical firewalls with identical root passwords. Crack
one, and the other's cracked, you can imagine.
> Beside the fact that having two firewalls for a home
> network would be overkill... :)
It's only overkill until you lose a few years of work :)
> I haven't upgraded to the recent Oxygen yet (.8 I think? Maybe x.8 --- I
> don't remember),
1.8.1
Regards,
Matthew
> and I'm using Seawall for my firewall rules. Seawall has
> built-in support for DMZ networks, so it would (should, anyway) be fairly
> trivial to set up a DMZ on a third NIC. At some point in time, I'll also
> be upgrading to a 2.4.x kernel and using either Shorewall or Openwall.
>
> While I'm asking, has anyone tried a halted firewall with a LEAF distro?
> It's a cool concept: http://www.samag.com/print/documentID=20294
>
> _______________________________________________
> Leaf-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
