From owner-freebsd-security  Mon Nov 26 10:20:35 2001
Delivered-To: freebsd-security@freebsd.org
Received: from gull.prod.itd.earthlink.net (gull.mail.pas.earthlink.net [207.217.120.84])
	by hub.freebsd.org (Postfix) with ESMTP id 8DE6A37B417
	for <security@freebsd.org>; Mon, 26 Nov 2001 10:20:29 -0800 (PST)
Received: from user-38lc2nf.dialup.mindspring.com ([209.86.10.239] helo=gohan.cjclark.org)
	by gull.prod.itd.earthlink.net with esmtp (Exim 3.33 #1)
	id 168QMk-0002Py-00; Mon, 26 Nov 2001 10:20:28 -0800
Received: (from cjc@localhost)
	by gohan.cjclark.org (8.11.6/8.11.1) id fAQ89fU00343;
	Mon, 26 Nov 2001 00:09:41 -0800 (PST)
	(envelope-from cjc)
Date: Mon, 26 Nov 2001 00:09:41 -0800
From: "Crist J. Clark" <cristjc@earthlink.net>
To: MikeM <MyRaQ@mgm51.com>
Cc: G Brehm <gbbrehm@yahoo.com>, security@FreeBSD.ORG
Subject: Re: Best security topology for FreeBSD
Message-ID: <20011126000941.C222@gohan.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <20011125013812.9839.qmail@web10106.mail.yahoo.com> <200111242124560932.023F3386@home.24cl.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200111242124560932.023F3386@home.24cl.com>; from MyRaQ@mgm51.com on Sat, Nov 24, 2001 at 09:24:56PM -0500
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sat, Nov 24, 2001 at 09:24:56PM -0500, MikeM wrote:
[snip]

> I'm not sure I agree with your comments.   Yes, your architecture is more akin to the origin of the term "DMZ", but is that the real functionality that we want to provide?  Should we be more concerned with staying within the strict definition of the military term "DMZ" or should our firewalls provide the needed function?

The needed function is maintaining defense from the hostile network. A
layered approach is a good way to do this.

> In my "DMX", the server only sees port 80 traffic.  *only port 80*  I cannot possibly provide that functionality with your strict interpretation of a DMZ firewall.    Given the options of tossing aside your strict definition of DMZ of re-architecturing my firewall, I think I'd vote for tossing aside your definition.

Why can it not only see such traffic? On the external firewall (and
from the internal network to the server too if you'd like), you only
pass port 80 to and from the server. No other traffic is allowed to
the server. I don't understand why you claim I cannot do this.
-- 
Crist J. Clark                           cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message