Re: Basic Network Configuration

[DRAx <dra.x () ifrance com>]

David Gillett wrote:

>   One implements a DMZ in order to impose three sets of
> firewall rules:
>   - between the internet and the DMZ subnet
>   - between the internet and the trusted subnet
>   - between the DMZ subnet and the trusted subnet
>
>   Ignoring, for the moment, vulnerabilities in the firewall
> itself (more on that later), a single box with three
> interfaces is quite adequate to deliver this functionality
> at a quite reasonable cost.

Sounds like a DUMB thing to do...
How can u IGNORE (even for a moment) the vulnerabilities in the 
firewall? The 3 NIC Firewall is going to be the box standing between
you and the hostile world! This is the box that HAS TO BE THE MOST 
SECURE. Up-to-date on patches, NO services running, just some
iptables/ipchains/netfilter for instance and as UN-EXPLOITABLE as you
can.

If the firewall is compromized then so is your LAN.

How can you ignore the vulnerabilities in the box taking care of your 
network's security?


---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
----------------------------------------------------------------------------