Security Basics mailing list archives
RE: Proxy & Firewall Implementation
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 13 Jan 2005 14:16:00 -0800
There's no question that you need at least one firewall filtering traffic between your internal network and the outside world. Your DMZ servers accept connections from that outside world, so you want filtering between them and the inside network, too. But they shouldn't accept every and all connections from the outside. There are three basic ways to do this: 1. Put a firewall between your internal network and the DMZ which allows session origination only from the trusted internal network. Put another firewall between the DMZ and the outside, which allows session origination from the inside and DMZ, and much more limited from the outside into just the DMZ. 2. Put a firewall between your internal network and the DMZ which allows session origination only from the trusted internal network. Harden your DMZ servers ("bastion servers") to the gills. 3. Put your internal network, DMZ, and the Internet on three (or more) interfaces of a firewall with appropriate filtering rules for traffic between these zones. Option #1 can be the most secure, but at the price of a second firewall, more complicated management (especially if the firewalls are of different types or vendors), and probably some performance overhead. Option #2 can be inexpensive, and provides the best possible performance. Option #3 offers a good trade-off between price, performance, protection, and manageability. The relative priority of these four criteria vary from one organization to the next. One size does not fit all. David Gillett
-----Original Message----- From: John [mailto:naverxp () yahoo com sg] Sent: Wednesday, January 12, 2005 5:04 PM To: security-basics () securityfocus com Subject: Proxy & Firewall Implementation Hi I'm a fresh graduate in System Administrator field. Recently, with much of luck, i was recommended to a company to implement a firewall system to their network infrastructure. I hope to pick some experience from this forum as to how people in here might consider different circumstances when placing their proxy server inside a protected network (behind the firwall) or before the firewall. Would i need two firewalls? (i'm considering the Cisco FW, and CyberGuard FW). During my research, i found a documentation written by a blackhat whom suggested to allocate DMZ most of my services (httpd, mail, etc) outside the internal network and make redundancies everynight. My 2nd question, why did he suggested that? why expose my services outside the network where my information are Live and exposed to the risk of being compromised. John
Current thread:
- Proxy & Firewall Implementation John (Jan 13)
- Re: Proxy & Firewall Implementation florian leibert (Jan 13)
- RE: Proxy & Firewall Implementation David Gillett (Jan 14)
- <Possible follow-ups>
- RE: Proxy & Firewall Implementation Conlan Adams (Jan 14)
- Re: Proxy & Firewall Implementation miguel . dilaj (Jan 14)