Hi Charles, hi all > > I'm currently in a Watchguard training. I'm going to make the WCP > > Certificate. > > > > The trainer told me, that the "Drop-In configuration" (ProxyARP DMZ) is > less > > secure than the routed DMZ. I didn't say anything and thought > "Uh, really? > > Why?". > > Good for you!
Good for me that I didn't say anything or good for me that I'm going to make the WCP? :) Thanks a lot for your explenation! Unfortunately, you can't define in which chain rules go. (Watchguard Fireboxes run on a highly modified kernel 2.0.38) I don't know in which chain the organize their DMZ stuff. She told me, that she'll explain the whole DMZ stuff more exactly tomorrow. Let's see if she knows what she's talking about... ;) Other opinions than Charles'? --- Sandro Minola | LEAF Developer (http://leaf.sourceforge.net) mailto:[EMAIL PROTECTED] | mailto:[EMAIL PROTECTED] http://www.minola.ch | http://leaf.sourceforge.net/devel/sminola > -----Original Message----- > From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, February 27, 2002 7:43 PM > To: Sandro Minola; Leaf-User; Leaf-Devel > Subject: Re: [Leaf-devel] Question of principle: Are ProxyARP DMZ > insecure? > > > > > Is a ProxyARP DMZ less secure than a routed or staticNAT DMZ? > > Are there even any security related differents? > > > > She told me, that staticNAT with a private DMZ is the better solution if > you > > want to save public IP's. I don't think so. > > I think I run into problems with special applications/protocols if using > > staticNAT (passiveFTP, PPTP?) > > > > Discussion is opened.... > > All three of the architecture you mention (static-NAT, routed, and > proxy-arp) have the same basic packet flow: > > <internet> > | > Firewall - DMZ net > > Or possibly: > > <internet> > | > Firewall - DMZ net > | > Internal net > > The only difference between the "flavors" of DMZ you mention is what IP > addresses and subnet lables get attached to each interface...the security > (or lack thereof) depends entirely on what the firewall is doing with the > packet data. > > If you've got a flexible mechanism for building firewall rules, > it shouldn't > matter which architecture you pick...you should be able to implement your > desired firewall functionality with any of the DMZ flavors. > > NOTE: There are specific things you need to watch for depending > on the DMZ > architecture. For instance, the Dachstein firewall rules > implement routed, > static-nat, and proxy-arp DMZ rules in the forward chain, so the > packets are > blindly accepted in the input chain (to be sorted later). If > you're running > static-NAT or proxy-arp, the firewall probably has an IP that > overlaps with > the DMZ network, so you've just potentially opened your > firewall's external > IP to the world with no filtering! For the curious, that's why the dmz-in > and dmz-spoof ipchains are created in this situation...ip's > destined for the > local box are routed back through the input rule chain, while > packets truly > destined for the DMZ are accepted in the input chain, then filtered in the > forward chain. > > Charles Steinkuehler > [EMAIL PROTECTED] > > _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
