Security Basics mailing list archives
RE: Basic Network Configuration
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 16 Oct 2003 16:37:28 -0700
-----Original Message----- From: 'Ansgar -59cobalt- Wiechers' [mailto:bugtraq () planetcobalt net] Sent: October 16, 2003 12:40 To: security-basics () securityfocus com Subject: Re: Basic Network Configuration On 2003-10-16 David Gillett wrote:On October 16, 2003 03:25 Ansgar -59cobalt- Wiechers wrote:On 2003-10-15 David Gillett wrote:One implements a DMZ in order to impose three sets of firewall rules: - between the internet and the DMZ subnet - between the internet and the trusted subnet - between the DMZ subnet and the trusted subnetIMHO the second rule is void, since no traffic shouldbypass the DMZ.a) WHY??? So a compromised DMZ host can sniff it?Because you don't want any traffic to go directly from the hostile world to your LAN and vice versa. That's why you have proxies in the DMZ.b) Voiding the second rule means totally trusting all traffic that originates from your internal network. In 1993, you could usually get away with that. In 2003, you CAN'T. You MUST filter that traffic; whether you do it in one place or two, you still have that second rule.I don't get your point. There shouldn't be any unfiltered traffic between your LAN and the Internet. You put proxies into the DMZ and block any direct traffic between LAN and internet. But again: I may be missing something here.
IF everything your users need to be able to reach the Internet with CAN be proxied, and management will pony up the cash for a proxy server and software, then yes, the proxy server should go in the DMZ. Not every organization can justify both the restriction and the expense. A proxy means that there is no direct traffic ONLY if there are rules on the firewalls that prohibit direct traffic. (A "deny all" rule is still a rule.) So for organizations that deploy a proxy this way, the second ruleset is extremely simple -- but not void. David Gillett --------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015 ----------------------------------------------------------------------------
Current thread:
- Re: Basic Network Configuration, (continued)
- Re: Basic Network Configuration DRAx (Oct 15)
- Re: Basic Network Configuration Ansgar -59cobalt- Wiechers (Oct 15)
- Re: Basic Network Configuration Valter Santos (Oct 15)
- RE: Basic Network Configuration David Gillett (Oct 15)
- Re: Basic Network Configuration DRAx (Oct 16)
- RE: Basic Network Configuration David Gillett (Oct 16)
- Re: Basic Network Configuration DRAx (Oct 16)
- Re: Basic Network Configuration DRAx (Oct 16)
- Re: Basic Network Configuration Ansgar -59cobalt- Wiechers (Oct 16)
- RE: Basic Network Configuration David Gillett (Oct 16)
- Re: Basic Network Configuration 'Ansgar -59cobalt- Wiechers' (Oct 16)
- RE: Basic Network Configuration David Gillett (Oct 17)
- Re: Basic Network Configuration 'Ansgar -59cobalt- Wiechers' (Oct 17)
- Ports used by VTAM Naren - Pactech (Oct 17)
- RE: Basic Network Configuration David Fore (Oct 15)