Security Basics mailing list archives
Re: Firewall and DMZ topology
From: Erik Vincent <evincent () ndexsystems com>
Date: Tue, 10 Jun 2003 13:19:28 -0400
I think there is a major difference between:1: internet --> Outer Firewall --> DMZ --> Inner Firewall --> LAN If your Outer Firewall is crack, only the DMZ computer will be unprotected but the LAN portion still protected. If you deny all connection from DMZ to LAN and run no services on the Inner firewall, it seem to me secure enough for a corporate LAN. Of course siffing is possible (so you have to use SSL or some kind of encryption between your LAN and your DMZ).
and
2: internet --> Firewall --> LAN --> DMZIf the Firewall is crack, the DMZ and LAN will be unprotected. It is far easier to crack a Windows/Linux Box when there is no Firewall at all.
In my point of view, never use a Firewall with 3 NIC for the above reason. Of course if you are on a tight budget...... I know that CISCO PIX router, use this kind of configuration (#2).
Chris Berry wrote:
From: Christopher Ingram <cmi () crystalsands net>So, the below setup is not decent for a corporate LAN. Ideally, the DMZ should sit on a seperate connection to the Internet from the rest of the network, using a different ISP and therefore, different IP block. This provides the most isolation.I'm afraid I don't see how that: internet --> Firewall --> Lan internet --> Firewall --> DMZ would be any more secure than this: internet --> Outer Firewall --> DMZ --> Inner Firewall --> LAN or this: internet --> Firewall --> LAN --> DMZwhich are the setups that I've seen. Can you give some justification/explanation on why you think that would be better?Chris Berry compjma () hotmail com Systems Administrator JM Associates"All I want is a few minutes alone with the source code for the universe and a quick recompile."_________________________________________________________________STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail--------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare.Find out why, and see how you can get plug-n-play secure remote access inabout an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
--------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare.Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
Current thread:
- Re: Firewall and DMZ topology, (continued)
- Re: Firewall and DMZ topology Erik Vincent (Jun 09)
- Re: Firewall and DMZ topology Christopher Ingram (Jun 09)
- Re: Firewall and DMZ topology Erik Vincent (Jun 09)
- Re: Firewall and DMZ topology Brad Mills (Jun 10)
- Re: Firewall and DMZ topology - Thanks for all the information William J. Burgos (Jun 11)
- RE: Firewall and DMZ topology Mann, Bobby (Jun 09)
- RE: Firewall and DMZ topology ed (Jun 10)
- Re: Firewall and DMZ topology Erik Vincent (Jun 10)
- Re: Firewall and DMZ topology Daniel B. Cid (Jun 10)
- RE: Firewall and DMZ topology ed (Jun 10)
- Re: Firewall and DMZ topology Chris Berry (Jun 10)
- RE: Firewall and DMZ topology David Gillett (Jun 10)
- Re: Firewall and DMZ topology Erik Vincent (Jun 10)
- Re: Firewall and DMZ topology Zach Crowell (Jun 10)
- Re: Firewall and DMZ topology Erik Vincent (Jun 10)
- VPN vs changing routes Keenan Smith (Jun 10)
- Re: VPN vs changing routes chort (Jun 10)
- RE: VPN vs changing routes David Gillett (Jun 10)
- Re: [security] VPN vs changing routes Martin (Jun 11)
- Re: VPN vs changing routes Joerg Over Dexia (Jun 11)
- Re: Firewall and DMZ topology Daniel B. Cid (Jun 10)
- Re: Firewall and DMZ topology Steve Bremer (Jun 10)