RE: Proxy & Firewall Implementation

["David Gillett" <gillettdavid () fhda edu>]

  There's no question that you need at least one firewall filtering
traffic between your internal network and the outside world.  Your
DMZ servers accept connections from that outside world, so you want
filtering between them and the inside network, too.  But they shouldn't
accept every and all connections from the outside.  There are three
basic ways to do this:

1.  Put a firewall between your internal network and the DMZ which allows
session origination only from the trusted internal network.  Put another
firewall between the DMZ and the outside, which allows session origination
from the inside and DMZ, and much more limited from the outside into just
the DMZ.

2.  Put a firewall between your internal network and the DMZ which allows
session origination only from the trusted internal network.  Harden your
DMZ servers ("bastion servers") to the gills.

3.  Put your internal network, DMZ, and the Internet on three (or more)
interfaces of a firewall with appropriate filtering rules for traffic
between
these zones.

  Option #1 can be the most secure, but at the price of a second firewall,
more complicated management (especially if the firewalls are of different
types or vendors), and probably some performance overhead.
  Option #2 can be inexpensive, and provides the best possible performance.
  Option #3 offers a good trade-off between price, performance, protection,
and manageability.

  The relative priority of these four criteria vary from one organization to
the next.  One size does not fit all.

David Gillett


> -----Original Message-----
> From: John [mailto:naverxp () yahoo com sg]
> Sent: Wednesday, January 12, 2005 5:04 PM
> To: security-basics () securityfocus com
> Subject: Proxy & Firewall Implementation
>
>
> Hi
>
> I'm a fresh graduate in System Administrator field. Recently,
> with much
> of luck, i was recommended to a company to implement a
> firewall system
> to their network infrastructure. I hope to pick some experience from
> this forum as to how people in here might consider different
> circumstances when placing their proxy server inside a
> protected network
> (behind the firwall) or before the firewall. Would i need two
> firewalls?
> (i'm considering the Cisco FW, and CyberGuard FW).
>
> During my research, i found a documentation written by a
> blackhat whom
> suggested to allocate DMZ most of my services (httpd, mail,
> etc) outside
> the internal network and make redundancies everynight. My 2nd
> question,
> why did he suggested that? why expose my services outside the network
> where my information are Live and exposed to the risk of
> being compromised.
>
> John