>From: "Yaroslav S. Polyakov" <[EMAIL PROTECTED]> > > 23) Put exposed servers in true DMZ (two firewalls). >Why do you think one firewall with dedicated interface to DMZ is worse >then two firewalls?
Several reasons. First, on a single machine you have a box that directly connects to your trusted, semi-trusted, and untrusted networks, if anyone roots that box, everything is hosed. To have a proper set of effective firewall rules on that machine is going to be a bit complicated due to the triple interface, and as we all know, the more rules you have, the less likely you'll be able to properly maintain them. Second, my personal opinion is that when you build a true DMZ (two firewalls) they should not be of the same type. While this violates the simplicity principal, it makes it far less likely that any one vulnerability will be able to allow penetration of your network. Third, since the second machine is not required to allow access to exposed servers, you can make a really tight ruleset that denies almost everything. I'm not saying that a tri-homed machine can't be useful, and its certainly cheaper, but given sufficient resources, I would prefer a setup with two machines. Chris Berry [EMAIL PROTECTED] Systems Administrator JM Associates "I have found the way, and the way is Perl." _________________________________________________________________ Join the world�s largest e-mail service with MSN Hotmail. http://www.hotmail.com
