RE: Reverse Proxy on DMZ - 1 FW, 2 FW

["Andreas Haug" <ajh () this net>]

> From: John Kozubik [mailto:john_kozubik_dc () hotmail com]
> Correct.  Again, pardon my flippancy in assuming multiple firewalls.

Would you mind explaining this a little bit more? Are you talking about
multiple firewall behind each other or about the "seperate network" case
outlined below?

> These are very valid points, and in a single firewall environment, you
> are observing good practice.

Hmmm... I don't see how my arguments would not hold in a scenario of
multiple firewalls. My latest project was one in which we used several
firewall entities (from two to five, depends on one's definition) and we
posted the web server behind the first layer-3/4 ("stateful packet"?)
filter. If we declare it doomed to fail, why not put it as far away as
possible?

> Please note: in some instances, companies establish completely seperate
> networks for 'publishing' machines such as www, mail, etc. and for
> 'sensitive' machines.  In this model, because there is a completely
> seperate network for the public machines (sometimes at a different
> physical location, different service provider, etc.) you can use one
> firewall and put all of the machines behind it because, presumably, all
> of these machines have the same level of sensitivity.

Sorry, but I have the strong tendency to seperate machines from each other.
Each of those machines reselbles a different risk: The Web server might be
broken because of some funny OS/Library/Web-Server interaction (1). The mail
server because of some buffer overflow. I can't put them on the same network
because I have to know if one behaves "different". If a chain breaks at the
weakest link, just don't use a chain. Right?

> Alternatively you can use multiple firewalls as I was presuming.

Hmmm... I have a hard time explaining the end users why every connection to
the internet has to go through four or more TCP/IP stacks. Forgetting this
unrelated thought, I wonder: Putting the web server on another network (I
can not fit the mail server in this picture) just moves the problem and --
IMHO -- helps little in terms of security. Or am I missing something?

Regards,

andreas.

(1) Acronym of the day: (A)nother (S)ervice (P)ack. ASP.
--
Work: http://www.helupie.de  haug () helupie de  phone +49 6081 9162-60 fax -80
Home: http://www.this.net    me () this net      phone +49 7127 9724-54 fax -54
Note: Views expressed above might not reflect those of the people who pay me