Date: Fri, 23 Nov 2001 12:28:09 +0200 From: Giorgos Keramidas <charon@labs.gr> To: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> Cc: security@FreeBSD.ORG Subject: Re: Firewall design [was: Re: Best security topology for FreeBSD] Message-ID: <20011123102809.GA9743@hades.hell.gr> In-Reply-To: <Pine.BSF.4.21.0111222046180.636-100000@lhotse.zaraska.dhs.org> References: <20011122031739.A226@gohan.cjclark.org> <Pine.BSF.4.21.0111222046180.636-100000@lhotse.zaraska.dhs.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[ ascii art reordering to cut a few lines of text ] Internet --- firewall --- internal | DMZ ------------------------------------------------------------ Internet --- firewall1 --- DMZ --- firewall2 --- internal ------------------------------------------------------------ On 2001-11-22 20:55:30, Krzysztof Zaraska wrote: > Could you please explain why the second design is better? I know it's > harder to properly construct the correct ruleset for the first topology, > but what are other problems? Two levels of firewall; one more barrier for intruders. If the same machine is used for the DMZ and internal firewall, and it is compromised, then both the DMZ and internal networks are wide open. This however is useless if you use exactly the same hardware/software both for the `external' and `internal' machines and still have two separate machines for the two firewalls. The same exploits/bugs that will let someone in at the external firewall, will let him break the internal firewall when the DMZ has been compromised. But by now we are deep into the paranoia territory :) -giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011123102809.GA9743>