From owner-freebsd-security  Tue Nov 27  8:42:52 2001
Delivered-To: freebsd-security@freebsd.org
Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193])
	by hub.freebsd.org (Postfix) with ESMTP id D85F237B405
	for <freebsd-security@FreeBSD.ORG>; Tue, 27 Nov 2001 08:42:43 -0800 (PST)
Received: (from wollman@localhost)
	by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id fARGgfU32312;
	Tue, 27 Nov 2001 11:42:41 -0500 (EST)
	(envelope-from wollman)
Date: Tue, 27 Nov 2001 11:42:41 -0500 (EST)
From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Message-Id: <200111271642.fARGgfU32312@khavrinen.lcs.mit.edu>
To: Allen Landsidel <all@biosys.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Best security topology for FreeBSD 
In-Reply-To: <5.1.0.14.0.20011127071415.00aa4a18@rfnj.org>
References: <5.1.0.14.0.20011127071415.00aa4a18@rfnj.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

<<On Tue, 27 Nov 2001 07:27:59 -0500, Allen Landsidel <all@biosys.net> said:

>       out
>         |
>       wan
>         |
>      switch --- dmz
>         |
>        fw
>         |
>      switch
>         |
>        lan


I think the more traditional version (of the ``two-firewall''
implementation) is not much different from this:

big-bad-Internet --- packet-filtering-router --- DMZ-switch --- DMZ-hosts
                                                  |
                         internal-network --- firewall

The point being that the first layer of defense protects both
DMZ-hosts and internal-network (not to mention the DMZ-switch and
firewall themselves, which is necessary for some commercial
``firewall'' products); an additional layer of defense protects
internal-network from both big-bad-Internet and any
potentially-compromised DMZ-hosts.  In addition, the policy for
traversal of the firewall can be made much stricter than the rules on
the packet-filtering router, since all of the systems which are
normally visible from the outside are outside the firewall.  This also
helps to isolate the various segments of the network from faults in
other segments, which is just good design practice.

-GAWollman


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message