Date: Tue, 27 Nov 2001 11:42:41 -0500 (EST) From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> To: Allen Landsidel <all@biosys.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Message-ID: <200111271642.fARGgfU32312@khavrinen.lcs.mit.edu> In-Reply-To: <5.1.0.14.0.20011127071415.00aa4a18@rfnj.org> References: <5.1.0.14.0.20011127071415.00aa4a18@rfnj.org>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On Tue, 27 Nov 2001 07:27:59 -0500, Allen Landsidel <all@biosys.net> said:
> out
> |
> wan
> |
> switch --- dmz
> |
> fw
> |
> switch
> |
> lan
I think the more traditional version (of the ``two-firewall''
implementation) is not much different from this:
big-bad-Internet --- packet-filtering-router --- DMZ-switch --- DMZ-hosts
|
internal-network --- firewall
The point being that the first layer of defense protects both
DMZ-hosts and internal-network (not to mention the DMZ-switch and
firewall themselves, which is necessary for some commercial
``firewall'' products); an additional layer of defense protects
internal-network from both big-bad-Internet and any
potentially-compromised DMZ-hosts. In addition, the policy for
traversal of the firewall can be made much stricter than the rules on
the packet-filtering router, since all of the systems which are
normally visible from the outside are outside the firewall. This also
helps to isolate the various segments of the network from faults in
other segments, which is just good design practice.
-GAWollman
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200111271642.fARGgfU32312>