From owner-freebsd-security  Tue Nov 27 13: 4:32 2001
Delivered-To: freebsd-security@freebsd.org
Received: from topperwein.dyndns.org (acs-24-154-28-168.zoominternet.net [24.154.28.168])
	by hub.freebsd.org (Postfix) with ESMTP id 694A437B416
	for <freebsd-security@freebsd.org>; Tue, 27 Nov 2001 13:04:27 -0800 (PST)
Received: from topperwein (topperwein [192.168.168.10])
	by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id fARL49N57902
	for <freebsd-security@freebsd.org>; Tue, 27 Nov 2001 16:04:17 -0500 (EST)
	(envelope-from behanna@zbzoom.net)
Date: Tue, 27 Nov 2001 16:04:04 -0500 (EST)
From: Chris BeHanna <behanna@zbzoom.net>
Reply-To: Chris BeHanna <behanna@zbzoom.net>
To: <freebsd-security@freebsd.org>
Subject: Re: Best security topology for FreeBSD
In-Reply-To: <20011127054030.GB5828@shall.anarcat.dyndns.org>
Message-ID: <20011127160049.N57709-100000@topperwein.dyndns.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, 27 Nov 2001, The Anarcat wrote:

> The firewall wether it is single or dual, have the same functionality,
> in the presence of a DMZ:
>
> (2 designs of dual fw):         (and a single fw design):
>
>   out    out                             out
>    |      |                               |
>   fw1    fw1----+                         |
>    |      |     |                         |
>   dmz     |    dmz                       fw ---- dmz
>    |      |     |                         |
>   fw2    fw2----+                         |
>    |      |                               |
>   in     in                              in
>
> In the second one, you setup a private line between the 2 fws to have
> direct traffic let through unsniffable directly by the dmz. That is,
                             ^^^^^^^^^^^
> even if you let direct traffic, where you might prefer having proxies
> somewhere to avoid direct traffic.

    No, not unsniffable.  If an attacker manages to install arp-spoof
software on the DMZ, then he can easily mount a man-in-the-middle
attack and reroute all the traffic between fw1 and fw2 through the
DMZ.  Even routers can be overcome.  There's a good discussion about
this kind of thing on the dsniff website.

-- 
Chris BeHanna
Software Engineer                   (Remove "bogus" before responding.)
behanna@bogus.zbzoom.net
I was raised by a pack of wild corn dogs.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message