Firewall Wizards mailing list archives
RE: Reverse Proxy on DMZ - 1 FW, 2 FW
From: "John Kozubik" <john_kozubik_dc () hotmail com>
Date: Tue, 19 Jan 1999 22:43:07 PST
I do not share this point of view. My reasoning is this: I don't >trust
the web server in any way. If it does it's job, serves the >pages which it should serve, I consider it good luck. I expect it to >fail, to be turned against me. Therefore I can't put it behind the >firewall: If it would be located behind the firewall, and if it would >"fail" in the worst case, I'd have some bad guy inside the network I >wanted to protect. Correct. Again, pardon my flippancy in assuming multiple firewalls. These are very valid points, and in a single firewall environment, you are observing good practice. Please note: in some instances, companies establish completely seperate networks for 'publishing' machines such as www, mail, etc. and for 'sensitive' machines. In this model, because there is a completely seperate network for the public machines (sometimes at a different physical location, different service provider, etc.) you can use one firewall and put all of the machines behind it because, presumably, all of these machines have the same level of sensitivity. Alternatively you can use multiple firewalls as I was presuming. Otherwise, stick with the suggestions that have bounced around over the past few days about publishing machines being seperated from the sensitive machines in single firewall environments. kozubik - John Kozubik - john_kozubik () hotmail com PGP DSS: 0EB8 4D07 D4D5 0C28 63FE AD87 520F 57BE 850B E4C4 ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- RE: Reverse Proxy on DMZ - 1 FW, 2 FW John Kozubik (Jan 20)
- RE: Reverse Proxy on DMZ - 1 FW, 2 FW Andreas Haug (Jan 20)