From owner-freebsd-security  Sun Nov 25 17: 3:58 2001
Delivered-To: freebsd-security@freebsd.org
Received: from swan.prod.itd.earthlink.net (swan.mail.pas.earthlink.net [207.217.120.123])
	by hub.freebsd.org (Postfix) with ESMTP id 57AA237B41B
	for <security@freebsd.org>; Sun, 25 Nov 2001 17:03:50 -0800 (PST)
Received: from user-33qtmct.dialup.mindspring.com ([199.174.217.157] helo=gohan.cjclark.org)
	by swan.prod.itd.earthlink.net with esmtp (Exim 3.33 #1)
	id 168ABT-0006J5-00; Sun, 25 Nov 2001 17:03:45 -0800
Received: (from cjc@localhost)
	by gohan.cjclark.org (8.11.6/8.11.1) id fAP6a4j00325;
	Sat, 24 Nov 2001 22:36:04 -0800 (PST)
	(envelope-from cjc)
Date: Sat, 24 Nov 2001 22:36:03 -0800
From: "Crist J. Clark" <cristjc@earthlink.net>
To: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
Cc: security@FreeBSD.ORG
Subject: Re: Firewall design [was: Re: Best security topology for FreeBSD]
Message-ID: <20011124223603.A228@gohan.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <20011122031739.A226@gohan.cjclark.org> <Pine.BSF.4.21.0111222046180.636-100000@lhotse.zaraska.dhs.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.21.0111222046180.636-100000@lhotse.zaraska.dhs.org>; from kzaraska@student.uci.agh.edu.pl on Thu, Nov 22, 2001 at 08:55:30PM +0100
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thu, Nov 22, 2001 at 08:55:30PM +0100, Krzysztof Zaraska wrote:
> On Thu, 22 Nov 2001, Crist J. Clark wrote:
> 
> <snip>
> > It is sad to see this poor design,
> > 
> >      Internet
> >         |
> >         |
> >       Firewall--"DMZ"
> >         |
> >         |
> >      Internal
> > 
> > Used so very, very much these days (I think thanks to several firewall
> > vendors pushing this as a standard design).
> > 
> > A much better design, is
> > 
> >       Internet
> >          |
> >          |
> >       Firewall1
> >          |
> >          |
> >         DMZ
> >          |
> >          |
> >       Firewall2
> >          |
> >          |
> >       Internal
> > 
> > (This design is actually where the term "DMZ" comes from since it
> > actually looks like one here.)
> 
> Could you please explain why the second design is better?

The fundamental security concept: defense in depth. In the first
design, there is only a single layer of security between any of your
networks and the hostile network. In the second, you have an
additional layer of security for internal network.
-- 
Crist J. Clark                           cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message