RE: Reverse Proxy on DMZ - 1 FW, 2 FW

["John Kozubik" <john_kozubik_dc () hotmail com>]

> I do not share this point of view. My reasoning is this: I don't >trust 
the web server in any way. If it does it's job, serves the >pages which 
it should serve, I consider it good luck. I expect it to >fail, to be 
turned against me. Therefore I can't put it behind the >firewall: If it 
would be located behind the firewall, and if it would >"fail" in the 
worst case, I'd have some bad guy inside the network I >wanted to 
protect.

Correct.  Again, pardon my flippancy in assuming multiple firewalls.  
These are very valid points, and in a single firewall environment, you 
are observing good practice.

Please note: in some instances, companies establish completely seperate 
networks for 'publishing' machines such as www, mail, etc. and for 
'sensitive' machines.  In this model, because there is a completely 
seperate network for the public machines (sometimes at a different 
physical location, different service provider, etc.) you can use one 
firewall and put all of the machines behind it because, presumably, all 
of these machines have the same level of sensitivity.

Alternatively you can use multiple firewalls as I was presuming.

Otherwise, stick with the suggestions that have bounced around over the 
past few days about publishing machines being seperated from the 
sensitive machines in single firewall environments.


kozubik - John Kozubik - john_kozubik () hotmail com
PGP DSS: 0EB8 4D07 D4D5 0C28 63FE  AD87 520F 57BE 850B E4C4


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com