From owner-freebsd-security Wed Nov 28 12: 0:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 104FB37B419 for ; Wed, 28 Nov 2001 12:00:50 -0800 (PST) Received: from hades.hell.gr (patr530-a236.otenet.gr [212.205.215.236]) by mailsrv.otenet.gr (8.11.5/8.11.5) with ESMTP id fASK0jY09746; Wed, 28 Nov 2001 22:00:45 +0200 (EET) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id fASK0kw19314; Wed, 28 Nov 2001 22:00:46 +0200 (EET) (envelope-from charon@labs.gr) Date: Wed, 28 Nov 2001 22:00:46 +0200 From: Giorgos Keramidas To: Allen Landsidel Cc: freebsd-security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Message-ID: <20011128200045.GB8893@hades.hell.gr> References: <200111231250.fANCoha19105@cwsys.cwsent.com> <20011122031739.A226@gohan.cjclark.org> <200111231250.fANCoha19105@cwsys.cwsent.com> <5.1.0.14.0.20011126175234.00aeb5e8@rfnj.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.0.20011126175234.00aeb5e8@rfnj.org> User-Agent: Mutt/1.3.23.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2001-11-26 18:07:21, Allen Landsidel wrote: > > >Defense in depth. Examples: A glitch/security breach in Firewall1's > >ruleset/software does not necesarily expose the internal network. > >Any vulnerabilities in Firewall2 are harder to exploit when protected > >by Firewall1. > > I have to say.. I've been biting my tongue on this topic, but I feel like > speaking up now. > > The above paragraph is well and good for actual firewalls (like you find in > vehicles) and actual DMZ's (like you find in a warzone) because depth means > that many more layers of opposing force you have to fight your way through. > > It seems pretty meaningless however when applied to a network.(*) > > Chances are if an attacker can compromise "Firewall1" then they can use an > identical exploit/hole/vulnerability to exploit "Firewall2." In war, there > are such exploits, and they're called bullets. That is why most books I've read on firewalls suggest the use of `different' types of firewalls when one is stacked behind the other. To avoid having two identical firewalls that can be passed with exactly the same bugs/exploits :-) The depth principle still applies, IMHO. -giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message