Security Basics mailing list archives
Re: Firewall and DMZ topology
From: Erik Vincent <evincent () ndexsystems com>
Date: Tue, 10 Jun 2003 14:04:09 -0400
Not realy, becouse they are configured differently.The outer Firewall let traffic from the internet inside the DMZ ie: SMTP, HTTP etc...)
But the Inner firewall wont accept any connection from the DMZ to LAN, ie: internet <-> Outer Firewall <-> DMZ <- Inner Firewall <- LAN The Inner firewall will be configured to acept traffic only from the LAN. So all NEW connection from the DMZ to the LAN are DROP/REFUSE.This is not the case with the Outer Firewall ie : must forward SMTP, HTTP etc..
If your are running no services on the Inner Firewall (not event sshd) and use a read-only media (read LRP). In my point of view, it is a good setup...(On course if you have the money to afford CISCO or other thing may be different...)
Zach Crowell wrote:
Erik Vincent wrote:I think there is a major difference between:1: internet --> Outer Firewall --> DMZ --> Inner Firewall --> LAN If your Outer Firewall is crack, only the DMZ computer will be unprotectedbut the LAN portion still protected.Under what conditions would these firewalls be configured any differently from a vulnerability-assessment view point? i.e., if someone was able to crack the outer firewall, is it not likely they would crack the inner firewall as well?Zach
--------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare.Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
Current thread:
- Re: Firewall and DMZ topology, (continued)
- Re: Firewall and DMZ topology Brad Mills (Jun 10)
- Re: Firewall and DMZ topology - Thanks for all the information William J. Burgos (Jun 11)
- RE: Firewall and DMZ topology Mann, Bobby (Jun 09)
- RE: Firewall and DMZ topology ed (Jun 10)
- Re: Firewall and DMZ topology Erik Vincent (Jun 10)
- Re: Firewall and DMZ topology Daniel B. Cid (Jun 10)
- RE: Firewall and DMZ topology ed (Jun 10)
- Re: Firewall and DMZ topology Brad Mills (Jun 10)
- Re: Firewall and DMZ topology Chris Berry (Jun 10)
- RE: Firewall and DMZ topology David Gillett (Jun 10)
- Re: Firewall and DMZ topology Erik Vincent (Jun 10)
- Re: Firewall and DMZ topology Zach Crowell (Jun 10)
- Re: Firewall and DMZ topology Erik Vincent (Jun 10)
- VPN vs changing routes Keenan Smith (Jun 10)
- Re: VPN vs changing routes chort (Jun 10)
- RE: VPN vs changing routes David Gillett (Jun 10)
- Re: [security] VPN vs changing routes Martin (Jun 11)
- Re: VPN vs changing routes Joerg Over Dexia (Jun 11)
- Re: Firewall and DMZ topology Daniel B. Cid (Jun 10)
- Re: Firewall and DMZ topology Steve Bremer (Jun 10)
- Message not available
- Re: Firewall and DMZ topology Daniel B. Cid (Jun 10)