Michaels points IMHO are spot on the mark. I would add though that if you are going for a two firewall setup then you consider using different vendors for eeach firewall. The discussions on this are of the religious nature but the basic premise is that it is unlikely that an exploit will work on both firewalls so even if one exists your LAN would still be secure (however your DMZ might be breached). Also you time to patching period is increased which gives you some leeway if you are not up to the moment with potetial security flaws.
M -----Original Message----- From: White, Michael [mailto:[EMAIL PROTECTED]] Sent: 05 April 2002 19:08 To: '[EMAIL PROTECTED]' Subject: RE: DMZ - 2 firewalls, or 1 firewall + 1 router All of your options are being pointed out, but some not as clearly as others. Maybe I can clarify. Option 1: 1 Firewall w/ 3 interfaces, intf1 - Internet, intf2 - DMZ, intf3 - LAN Although this is probably the most common implementation of a firewall solution, it's certainly not the most secure. The main problem is that one firewall provides a single point of entry for attackers. Should an attacker manage to infultrate the DMZ, the likelihood they'll be able to infultrate the local network is higher. Option 2: 2 Firewalls. The configuration would look something like this: {router}--->Firewall(A)<--|-->Firewall(B)---->[LAN] | | | {DMZ} This configuration is widely used, but not used enough. It provide better security against attackers, and as you can see, there's no single point of entry to your local network. Obviously you would open specific ports for access to systems in the DMZ, mail, web, ftp, etc. But you would block all access to your local network. There are, of course, other options, but these are certainly the most commonly implementations. Hope this helps. Michael White Manager, IT LMS CADSI -----Original Message----- From: Derrenbacker, L. Jonathan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 1:41 PM To: '[EMAIL PROTECTED]' Subject: DMZ - 2 firewalls, or 1 firewall + 1 router I heard that you can make a DMZ with a router and a firewall. Is that a good way to make a DMZ, or should you use 2 firewalls? Thanks in advance.
