Date: Fri, 23 Nov 2001 12:28:09 +0200 From: Giorgos Keramidas <charon@labs.gr> To: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> Cc: security@FreeBSD.ORG Subject: Re: Firewall design [was: Re: Best security topology for FreeBSD] Message-ID: <20011123102809.GA9743@hades.hell.gr> In-Reply-To: <Pine.BSF.4.21.0111222046180.636-100000@lhotse.zaraska.dhs.org> References: <20011122031739.A226@gohan.cjclark.org> <Pine.BSF.4.21.0111222046180.636-100000@lhotse.zaraska.dhs.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[ ascii art reordering to cut a few lines of text ]
Internet --- firewall --- internal
|
DMZ
------------------------------------------------------------
Internet --- firewall1 --- DMZ --- firewall2 --- internal
------------------------------------------------------------
On 2001-11-22 20:55:30, Krzysztof Zaraska wrote:
> Could you please explain why the second design is better? I know it's
> harder to properly construct the correct ruleset for the first topology,
> but what are other problems?
Two levels of firewall; one more barrier for intruders. If the same
machine is used for the DMZ and internal firewall, and it is
compromised, then both the DMZ and internal networks are wide open.
This however is useless if you use exactly the same hardware/software
both for the `external' and `internal' machines and still have two
separate machines for the two firewalls. The same exploits/bugs that
will let someone in at the external firewall, will let him break the
internal firewall when the DMZ has been compromised.
But by now we are deep into the paranoia territory :)
-giorgos
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011123102809.GA9743>