Security Basics mailing list archives
RE: Firewall and DMZ topology
From: "Depp, Dennis M." <deppdm () ornl gov>
Date: Tue, 10 Jun 2003 14:40:51 -0400
I'm not sure how a tri-homed firewall can be just as secure as a two firewall setup. Consider this: Hacker is able to penetrate your firewall and "owns" the box. In a tri-homed firewall, they now have direct access to your internal network. If this had been a two firewall setup, they would have to compromise the second box as well. While this may not be an issue as they were already sucessful in owning one firewall, hopefully you have your intrusion detection system tuned to a greater degree of sensativity in your DMZ. And you will be able to discover this second attempt. I do think tri-homed firewalls are a good solution, but they are not as secure as a two firewall solution. Dennis Depp
-----Original Message----- From: Chris Berry [mailto:compjma () hotmail com] Sent: Tuesday, June 10, 2003 2:21 PM To: security-basics () securityfocus comFrom: "Des Ward" <des.ward () ntlworld com> The second means that all traffic has to traverse your LANto get to the'Unprotected' DMZ systems and also could leave your internalLAN open toattack.My ASCII drawing didn't come out very well it was supposed to represent a tri-homed firewall, which, to the best of my knowledge is just as secure as a two firewall setup. Chris Berry compjma () hotmail com Systems Administrator JM Associates "Gold is for the mistress - silver for the maid Copper for the craftsman cunning in his trade. "Good!" said the Baron, sitting in his hall But steel - cold steel is master of them all." -- Rudyard Kipling _________________________________________________________________ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail -------------------------------------------------------------- ------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- Re: VPN vs changing routes, (continued)
- Re: VPN vs changing routes Joerg Over Dexia (Jun 11)
- Re: Firewall and DMZ topology Daniel B. Cid (Jun 10)
- Re: Firewall and DMZ topology Steve Bremer (Jun 10)
- Re: Firewall and DMZ topology Daniel B. Cid (Jun 10)
- Message not available
- Re: Firewall and DMZ topology Daniel B. Cid (Jun 10)
- RE: Firewall and DMZ topology Des Ward (Jun 10)
- Re: Firewall and DMZ topology Aaron Fisher (Jun 11)
- Re: Firewall and DMZ topology Christopher Ingram (Jun 10)
- RE: Firewall and DMZ topology Chris Berry (Jun 10)
- Re: Firewall and DMZ topology Chris Berry (Jun 10)
- RE: Firewall and DMZ topology Depp, Dennis M. (Jun 10)
- RE: Firewall and DMZ topology Steve Bremer (Jun 10)
- RE: Firewall and DMZ topology ed (Jun 10)
- RE: Firewall and DMZ topology David Ellis (Jun 10)
- RE: Firewall and DMZ topology DeGennaro, Gregory (Jun 10)
- RE: Firewall and DMZ topology Depp, Dennis M. (Jun 10)
- RE: Firewall and DMZ topology Daniel B. Cid (Jun 10)
- Re: Firewall and DMZ topology Chris Berry (Jun 10)
- Re: Firewall and DMZ topology Steve Bremer (Jun 11)
- RE: Firewall and DMZ topology Depp, Dennis M. (Jun 11)
- RE: Firewall and DMZ topology Depp, Dennis M. (Jun 11)