Date: Wed, 28 Nov 2001 22:00:46 +0200 From: Giorgos Keramidas <charon@labs.gr> To: Allen Landsidel <all@biosys.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Message-ID: <20011128200045.GB8893@hades.hell.gr> In-Reply-To: <5.1.0.14.0.20011126175234.00aeb5e8@rfnj.org> References: <200111231250.fANCoha19105@cwsys.cwsent.com> <20011122031739.A226@gohan.cjclark.org> <200111231250.fANCoha19105@cwsys.cwsent.com> <5.1.0.14.0.20011126175234.00aeb5e8@rfnj.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2001-11-26 18:07:21, Allen Landsidel wrote: > > >Defense in depth. Examples: A glitch/security breach in Firewall1's > >ruleset/software does not necesarily expose the internal network. > >Any vulnerabilities in Firewall2 are harder to exploit when protected > >by Firewall1. > > I have to say.. I've been biting my tongue on this topic, but I feel like > speaking up now. > > The above paragraph is well and good for actual firewalls (like you find in > vehicles) and actual DMZ's (like you find in a warzone) because depth means > that many more layers of opposing force you have to fight your way through. > > It seems pretty meaningless however when applied to a network.(*) > > Chances are if an attacker can compromise "Firewall1" then they can use an > identical exploit/hole/vulnerability to exploit "Firewall2." In war, there > are such exploits, and they're called bullets. That is why most books I've read on firewalls suggest the use of `different' types of firewalls when one is stacked behind the other. To avoid having two identical firewalls that can be passed with exactly the same bugs/exploits :-) The depth principle still applies, IMHO. -giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011128200045.GB8893>