In our lan topology we currently use 3 firewalls, and one router, the router does routing only, as it is designed to do, the first firewall is a IDS/routing unit that is basically invisible, all good packets it sees it forwards to the appropriate lan interface DMZ or private, all private interface packets pass through a second firewall that only allows packets destined for it through, and only for protocols and services we allow in our private seqment. The dmz firewall actually splits out regular service requests destine to it into a Live lan dmz for web/smtp/imap, it takes all forwarded bad packets passed intentionally through the first firewall into a honeynet segment for all things that we dont allow, like ftp, telnet, snmp, etc etc etc, call it our unwanted packet playground.
it's simple really, Example: say someone tried to telnet to mail.ourhost.com the first firewall sees the packet, and redirects it to the dmz firewall that send it into the honeypot segment, now even though it was destined for the real mail server, redirection lets us send it to a 192. ip host in the honeypot. for things like mail/smtp valid traffic it passes through the first firewall to the dmz firewall to its appropriate destination. mind you the primary firewall blocks valid httpd requests for things like code red and crap, and other known exploitable ids signatures, not all known ones just the lame ones, the others it also passes into the honeynet. all our firewalls and dmz based servers are hardened systems with major changes to the source at both the kernel and user level, so even they are afforded a third level or protection. > DLJ> I heard that you can make a DMZ with a router and a firewall. Is that a good > DLJ> way to make a DMZ, or should you use 2 firewalls? > > DLJ> Thanks in advance. > >
