From: NC Agent [EMAIL PROTECTED]
I'm not sure how a tri-homed firewall can be just as secure as a two
firewall setup. Consider this:
Hacker is able to penetrate your firewall and owns the box. In a
tri-homed firewall, they now have direct access to your internal
network. If this had been a two
I wasn't completely clear in my last e-mail. I was
thinking more
along the lines of having the IDS in the DMZ. Any
attacks that get
past the outside firewall to the DMZ hosts would be
caught by the
IDS in the DMZ. The attacks that don't make it past
the external
firewall into the DMZ
tri-homed firewall, more so if you have IDS sensors at exterior, dmz,
and interior, and the time to monitor them.
Changing subjects a little bit here. I agree with our IDS comment,
but I'm curious about how your external IDS is used.
I've ran into differing opinions on this (as I do with
The problem with this is that there's almost always a
need to provide (some) LAN users with access to servers
in the DMZ, such as to maintain content.
To avoid exposing that traffic, or the necessary
firewall holes, to the Internet, you need to add a
third firewall between the LAN and DMZ.
Message-
From: Steve Bremer
To: [EMAIL PROTECTED]
Sent: 6/12/03 5:56 AM
Subject: IDS question [was: Re: Firewall and DMZ topology]
tri-homed firewall, more so if you have IDS sensors at exterior, dmz,
and interior, and the time to monitor them.
Changing subjects a little bit here. I agree
From: Steve Bremer [EMAIL PROTECTED]
tri-homed firewall, more so if you have IDS sensors at exterior, dmz,
and interior, and the time to monitor them.
Changing subjects a little bit here. I agree with our IDS comment,
but I'm curious about how your external IDS is used.
I've ran into differing
Hi,
External IDS can be inline or passive sitting on a span port. For any
Good point. I was thinking of just a monitoring sensor, but an in-line
sensor that can be configured to block active attacks would be nice.
Has anyone tried Hogwash?
So in my opinion I think it's important to
Ed,
I agree that this is more likely. However, if the control a tri-homed
firewall, they have access to your internal network. If they control
the external firewall of a two firewal system they only have access to
your DMZ. The original statement was something about there is no
securit benefit
In theory yes, however, if your administration isn't perfect, it would
actually LOWER your security stance. Kind of goes against the KISS
principal unless you have enough staff/time to keep a close eye on it.
Guess it all depends on your size.
True, but I figure that's what I'm paid for ;-)
Small Office Home Office
-Original Message-
From: Morgado Alain [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 11, 2003 7:55 AM
To: [EMAIL PROTECTED]
Subject: RE: Firewall and DMZ topology
What is a soho?
-Original Message-
From: Christopher Ingram [mailto:[EMAIL PROTECTED
-11 16:54
Till
[EMAIL PROTECTED]
Kopia
Ă„rende
RE: Firewall and DMZ topology
What is a soho?
-Original Message-
From: Christopher Ingram [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 10, 2003 3:01 PM
To: [EMAIL PROTECTED]
Subject: Re: Firewall and DMZ topology
First I apologize
On Wed, 2003-06-11 at 15:54, Morgado Alain wrote:
What is a soho?
Small Office/Home Office
signature.asc
Description: This is a digitally signed message part
-Original Message-
From: Morgado Alain [mailto:[EMAIL PROTECTED]
What is a soho?
It's an acronym: Small Office / Home Office.
SOHO products are typically aimed at networks of 5-15
machines, which may not have a full-time IT person. They
need to be both cheap and simple.
David
soho = small office/home office
webopedia.com is always a good place to get a(n) (extremely) general
definition of terms.
later,
adam
- Original Message -
From: Morgado Alain [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, June 11, 2003 10:54 AM
Subject: RE: Firewall and DMZ
From: Steve Bremer [EMAIL PROTECTED]
In theory yes, however, if your administration isn't perfect, it would
actually LOWER your security stance. Kind of goes against the KISS
principal unless you have enough staff/time to keep a close eye on it.
Guess it all depends on your size.
True, but I
: 6/10/03 6:20 PM
Subject: RE: Firewall and DMZ topology
You are ignoring any intusion detection that should alert you to
nefarious activity inside your DMZ. This same traffic on the outside of
your firewall may not give concern or alarm, but when it is hitting the
outside interface of your DMZ
From: William J. Burgos [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: Firewall and DMZ topology - Thanks for all the information
Date: 11 Jun 2003 12:09:32 +0900
Greetings all,
Thank you all for your reply to my question regarding Firewalls and DMZ
topology.
This has been a lively thread
From: Morgado Alain [EMAIL PROTECTED]
What is a soho?
Small office home office
Chris Berry
[EMAIL PROTECTED]
Systems Administrator
JM Associates
Within every man beats a heart of darkness. --The Shadow
_
MSN 8 with e-mail virus
From: Christopher Ingram [EMAIL PROTECTED]
So, the below setup is not decent for a corporate LAN. Ideally, the DMZ
should sit on a seperate connection to the Internet from the rest of the
network, using a different ISP and therefore, different IP block. This
provides the most isolation.
I'm
William,
I would like to set up a SOHO network with a firewall and DMZ for mostly
web serving and email. Of course, there are private PCs on the internal
network, Windows and Linux.
My connection is a dynamic IP on a pppoe and I already have an old
laptop used as a simple firewall setup.
-Original Message-
From: Chris Berry [mailto:[EMAIL PROTECTED]
I'm afraid I don't see how that:
internet -- Firewall -- Lan
internet -- Firewall -- DMZ
Actually, it's
internet -- Firewall -- LAN
internet -- Firewall -- DMZ
would be any more secure than this:
internet --
I think there is a major difference between:
1:internet -- Outer Firewall -- DMZ -- Inner
Firewall -- LAN
If your Outer Firewall is crack, only the
DMZ computer will be unprotected
but the LAN portion still protected. If
). This way all
clients must still pass through your firewall to hit the mail server.
Bob.
-Original Message-
From: Des Ward
To: 'William J. Burgos'
Cc: [EMAIL PROTECTED]
Sent: 6/9/03 10:46 AM
Subject: RE: Firewall and DMZ topology
Basically, you're going to have to get a machine
There are many reasons. The first of all, in this situation:
internet -- Firewall -- LAN
-- DMZ
You need to pass through you LAN to access the DMZ ... I dont need
to say anithing more. The purpose of a DMZ is to isolate the public
servers from outside the LAN. If
possible.
Just my .002667 cents worth (After converting from the BRITISH and not
ENGLISH pound)
-Original Message-
From: Chris Berry [mailto:[EMAIL PROTECTED]
Sent: 10 June 2003 01:53
To: [EMAIL PROTECTED]
Subject: Re: Firewall and DMZ topology
From: Christopher Ingram [EMAIL PROTECTED
Erik Vincent wrote:
I think there is a major difference between:
1:internet -- Outer Firewall -- DMZ -- Inner
Firewall -- LAN
If your Outer Firewall is crack, only the DMZ
computer will be unprotected
but the LAN portion
the mail server.
Bob.
-Original Message-
From: Des Ward
To: 'William J. Burgos'
Cc: [EMAIL PROTECTED]
Sent: 6/9/03 10:46 AM
Subject: RE: Firewall and DMZ topology
Basically, you're going to have to get a machine with three NICs. The
purpose of a DMZ is to segment machines from your internal
From: Des Ward [EMAIL PROTECTED]
The second means that all traffic has to traverse your LAN to get to the
'Unprotected' DMZ systems and also could leave your internal LAN open to
attack.
My ASCII drawing didn't come out very well it was supposed to represent a
tri-homed firewall, which, to the
Not realy, becouse they are configured differently.
The outer Firewall let traffic from the internet inside the DMZ ie:
SMTP, HTTP etc...)
But the Inner firewall wont accept any connection from the DMZ to LAN,
ie: internet - Outer Firewall - DMZ - Inner Firewall - LAN
The Inner firewall will
The proxy server cannot be inside the DMZ. You will only want to have
public servers on it. This setup is very good, but in some cases (low
money) the NIC2 can be the same as NIC1.
Internet - (NIC 3) Firewall (NIC1) - Fireawll / Proxy
server - LAN
From: Erik Vincent [EMAIL PROTECTED]
2: internet -- Firewall -- LAN
-- DMZ
If the Firewall is crack, the DMZ and LAN will
be unprotected.
It is far easier to crack a
I'm not sure how a tri-homed firewall can be just as secure as a two
firewall setup. Consider this:
Hacker is able to penetrate your firewall and owns the box. In a
tri-homed firewall, they now have direct access to your internal
network. If this had been a two firewall setup, they would have
I think similar to you. In most companies all the firewalls are the
same(same OS, same version and same configuration).. If someone is
able to crack the firewall 1, will be able to crack the firewall 2 and 3
..
[]`s
Daniel B. Cid
On Tue, 2003-06-10 at 13:41, Zach Crowell wrote:
Erik
Under what conditions would these firewalls be configured any
differently from a vulnerability-assessment view point? i.e., if
someone was able to crack the outer firewall, is it not likely they
would crack the inner firewall as well?
Not necessarily. If different types of firewalls are
J. Burgos'
Cc: [EMAIL PROTECTED]
Sent: 6/9/03 10:46 AM
Subject: RE: Firewall and DMZ topology
Basically, you're going to have to get a machine with three NICs. The
purpose of a DMZ is to segment machines from your internal network
whilst
still providing protection for them.
Any other
OK, everyone, Use a firewall with three network cards in it, one going
to DMZ, one going to lan, and one going to internet, allow traffic such
as smtp to dmz, don't allow any traffic to internally. Store all your
smtp messages in the dmz. Use an internal program on the lan to go out
and grab the
I do think tri-homed firewalls are a good solution, but they are not
as secure as a two firewall solution.
Why not combine both topologies?
Internet
|
|
|
Ext FW --- External DMZ
|
| (Int DMZ)
|
Int FW
|
|
|
LAN
The network between the
, June 10, 2003 11:41 AM
To: Chris Berry; [EMAIL PROTECTED]
Subject: RE: Firewall and DMZ topology
I'm not sure how a tri-homed firewall can be just as secure as a two
firewall setup. Consider this:
Hacker is able to penetrate your firewall and owns the box. In a
tri-homed firewall, they now have
First in order to increase security Firewall1 should not be the same as
Firewall2. Even if they are the same, rules will be different on each
of the firewall. Different rules means different vulnerabilities.
Finally Intrusion detection should be more sensative on the inside of
the outer
Is not that the problem. For example, if you use Linux as your firewall,
and if someone break your first firewall, in most of the cases this
person will be able to break the second too.
why ?
Because in both firewalls you will not run a webserver or a mail server,
but only administrative stuffs,
From: Steve Bremer [EMAIL PROTECTED]
Under what conditions would these firewalls be configured any
differently from a vulnerability-assessment view point? i.e., if
someone was able to crack the outer firewall, is it not likely they
would crack the inner firewall as well?
Not necessarily. If
This is true to an extent. However it is far more likely that someone
will use an exploit on the server in the DMZ than on the firewall its
self. For example:
Lets say you have a linux box running iptables with three NICs as your
firewall. Behind the firewall, in the DMZ you have a web-server
Basically, you're going to have to get a machine with three NICs. The
purpose of a DMZ is to segment machines from your internal network whilst
still providing protection for them.
Any other solution will just not give you the right balance of security.
Sorry
-Original Message-
From:
That would me more secure than some of the options presented, although
the first firewall could reside on the DMZ. The point, however, is that
even though the DMZ is isolated from the internal network (things like
file sharing between workstations is protected) should the DMZ be
compromised,
PROTECTED]
Sent: 6/9/03 10:46 AM
Subject: RE: Firewall and DMZ topology
Basically, you're going to have to get a machine with three NICs. The
purpose of a DMZ is to segment machines from your internal network
whilst
still providing protection for them.
Any other solution will just not give you
45 matches
Mail list logo
