Firewall Wizards mailing list archives
RE: Reverse Proxy on DMZ
From: "Andreas Haug" <ajh () this net>
Date: Tue, 19 Jan 1999 10:28:55 +0100
Perhaps this is the time for me to leave lurking mode. John Kozubik wrote:
The DMZ is not firewalled. The DMZ exists _between_ the firewall and the router/modem/interface.
and he wrote
You may be asking what the point of an area between the firewall and the router is - it is for machines that should not be given any kind of filtering whatsoever.
and
If someone tells you they are putting their mail or www server in the DMZ, laugh at them for not firewalling these mission critical machines, [...]
Which implies (please correct me if I got this wrong) that (1) the traffic between a DMZ and "the open" (internet, evil subcontractor, etc.) is not guarded by filters and (2) the servers (mail, www, etc.) should reside behind the firewall. I do not share this point of view. My reasoning is this: I don't trust the web server in any way. If it does it's job, serves the pages which it should serve, I consider it good luck. I expect it to fail, to be turned against me. Therefore I can't put it behind the firewall: If it would be located behind the firewall, and if it would "fail" in the worst case, I'd have some bad guy inside the network I wanted to protect. Can I put the web sever in the open? Again, the answer is no. Although I expect it to be broken into, I must do my best to shield it from the evil. The least tool to provide such a shielding would be a packet filter which (1) makes sure only those parts which are more or less "secured" are accessible and (2) constitutes an independent entity which could alarm me if it sees some network traffic which violates the security policy (a la "Your web server portscanning around. Is it really supposed to do this?"). A place, which is not inside "my" network but is neither unrestricted, is what I call a DMZ. A place to put things I can't really trust. Which is shielded to some extent and which is supervised to some other extent. Thinking about all this, I am curious to know if I got some of the keywords wrong or if perhaps we need to define our keywords again. I for one use the term "packet filter" for things acting on a packet level. A Cisco with access lists (IOS 11.3+, reflexive, if possible) qualifies. Most installations of Firewall-1 do qualify as a packet filter, not more, in my personal opinion. What John termed "firewall", I would rather call "Application Layer Filter" (ALF, for short). Always thinking about which expertise that particular ALF has in respect to the data streams, it relays. The combination of packet filters, ALFs, and servers which are more or less accessible from the "evil" side, all assembled to adhere to a strict security policy, is what I would call a firewall. Comments, anyone? andreas. -- Work: http://www.helupie.de haug () helupie de phone +49 6081 9162-60 fax -80 Home: http://www.this.net me () this net phone +49 7127 9724-54 fax -54 Note: Views expressed above might not reflect those of the people who pay me
Current thread:
- Re: Reverse Proxy on DMZ, (continued)
- Re: Reverse Proxy on DMZ Paul D. Robertson (Jan 11)
- Re: Reverse Proxy on DMZ Perry E. Metzger (Jan 12)
- Re: Reverse Proxy on DMZ youngk (Jan 12)
- Re: Reverse Proxy on DMZ Matt McClung, CCSA/CCSE (Jan 13)
- Re: Reverse Proxy on DMZ Perry E. Metzger (Jan 13)
- Re: Reverse Proxy on DMZ Matt McClung, CCSA/CCSE (Jan 13)
- Re: Reverse Proxy on DMZ Perry E. Metzger (Jan 13)
- Re: Reverse Proxy on DMZ John Kozubik (Jan 18)
- Re: Reverse Proxy on DMZ Amos Hayes (Jan 19)
- Re: Reverse Proxy on DMZ Roger Nebel (Jan 20)
- RE: Reverse Proxy on DMZ Andreas Haug (Jan 19)
- Re: Reverse Proxy on DMZ Amos Hayes (Jan 19)
- Re: Reverse Proxy on DMZ Matt McClung (Jan 19)
- Re: Reverse Proxy on DMZ Joseph S D Yao (Jan 20)
- Re: Reverse Proxy on DMZ H . (Jan 21)
- Re: Reverse Proxy on DMZ mike . parsons (Jan 21)