Security Basics mailing list archives
RE: Basic Network Configuration
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 16 Oct 2003 08:40:08 -0700
DUH. The question that was asked was not "Should the firewall be hardened and kept up to date with patches?" It was "Should we have one box with three interfaces, or two with two apiece?" Hardening and patching are OF COURSE important, but they don't help answer the TOPOLOGY question. David Gillett
-----Original Message----- From: DRAx [mailto:dra.x () ifrance com] Sent: October 16, 2003 01:47 To: gillettdavid () fhda edu Cc: 'Smith, KC'; security-basics () securityfocus com Subject: Re: Basic Network Configuration David Gillett wrote:One implements a DMZ in order to impose three sets of firewall rules: - between the internet and the DMZ subnet - between the internet and the trusted subnet - between the DMZ subnet and the trusted subnet Ignoring, for the moment, vulnerabilities in the firewall itself (more on that later), a single box with three interfaces is quite adequate to deliver this functionality at a quite reasonable cost.Sounds like a DUMB thing to do... How can u IGNORE (even for a moment) the vulnerabilities in the firewall? The 3 NIC Firewall is going to be the box standing between you and the hostile world! This is the box that HAS TO BE THE MOST SECURE. Up-to-date on patches, NO services running, just some iptables/ipchains/netfilter for instance and as UN-EXPLOITABLE as you can. If the firewall is compromized then so is your LAN. How can you ignore the vulnerabilities in the box taking care of your network's security?
--------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015 ----------------------------------------------------------------------------
Current thread:
- Basic Network Configuration Smith, KC (Oct 14)
- Re: Basic Network Configuration Neal K. Groothuis (Oct 15)
- RE: Basic Network Configuration Stuart (Oct 15)
- Re: Basic Network Configuration cc (Oct 15)
- Re: Basic Network Configuration Anders Reed-Mohn (Oct 15)
- Re: Basic Network Configuration DRAx (Oct 15)
- Re: Basic Network Configuration Ansgar -59cobalt- Wiechers (Oct 15)
- Re: Basic Network Configuration Valter Santos (Oct 15)
- RE: Basic Network Configuration David Gillett (Oct 15)
- Re: Basic Network Configuration DRAx (Oct 16)
- RE: Basic Network Configuration David Gillett (Oct 16)
- Re: Basic Network Configuration DRAx (Oct 16)
- Re: Basic Network Configuration DRAx (Oct 16)
- Re: Basic Network Configuration Ansgar -59cobalt- Wiechers (Oct 16)
- RE: Basic Network Configuration David Gillett (Oct 16)
- Re: Basic Network Configuration 'Ansgar -59cobalt- Wiechers' (Oct 16)
- RE: Basic Network Configuration David Gillett (Oct 17)
- Re: Basic Network Configuration 'Ansgar -59cobalt- Wiechers' (Oct 17)
- Ports used by VTAM Naren - Pactech (Oct 17)
- <Possible follow-ups>
- Re: Basic Network Configuration Ivan Coric (Oct 15)
- RE: Basic Network Configuration David Fore (Oct 15)