From owner-freebsd-security  Sat Nov 24 17:38:16 2001
Delivered-To: freebsd-security@freebsd.org
Received: from web10106.mail.yahoo.com (web10106.mail.yahoo.com [216.136.130.56])
	by hub.freebsd.org (Postfix) with SMTP id 6ED7937B417
	for <security@FreeBSD.ORG>; Sat, 24 Nov 2001 17:38:12 -0800 (PST)
Message-ID: <20011125013812.9839.qmail@web10106.mail.yahoo.com>
Received: from [138.88.33.232] by web10106.mail.yahoo.com via HTTP; Sat, 24 Nov 2001 17:38:12 PST
Date: Sat, 24 Nov 2001 17:38:12 -0800 (PST)
From: G Brehm <gbbrehm@yahoo.com>
Subject: Re: Best security topology for FreeBSD
To: cjclark@alum.mit.edu
Cc: security@FreeBSD.ORG
In-Reply-To: <20011122031739.A226@gohan.cjclark.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> 
> It is sad to see this poor design,
> 
>      Internet
>         |
>         |
>       Firewall--"DMZ"
>         |
>         |
>      Internal
> 
> Used so very, very much these days (I think thanks
> to several firewall
> vendors pushing this as a standard design).
> 
> A much better design, is
> 
>       Internet
>          |
>          |
>       Firewall1
>          |
>          |
>         DMZ
>          |
>          |
>       Firewall2
>          |
>          |
>       Internal
> 
> (This design is actually where the term "DMZ" comes
> from since it
> actually looks like one here.)
> 
> And in your case... that many NICs in one machine...
> I hope you have a
> dedicated stand-by. It's screaming "single point of
> failure." I would
> really consider NOT using one machine for all of
> this.
> -- 
> Crist J. Clark                          
> cjclark@alum.mit.edu

Sir,

I have only setup a couple firewalls in my day.
I have learned much from your posts in the past.

I am confused by your bias.
You'd think if it was firewall OEM pushing one design
it would go for your preferered, (twice the $).

I don't even want to think about a 10 NIC system, but
talking 3 or 4 what is so bad with the first choice?



=====
-

i believe in dogs

__________________________________________________
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message