Firewall Wizards mailing list archives
RE: Reverse Proxy on DMZ - 1 FW, 2 FW
From: "Andreas Haug" <ajh () this net>
Date: Wed, 20 Jan 1999 07:09:49 +0100
From: John Kozubik [mailto:john_kozubik_dc () hotmail com] Correct. Again, pardon my flippancy in assuming multiple firewalls.
Would you mind explaining this a little bit more? Are you talking about multiple firewall behind each other or about the "seperate network" case outlined below?
These are very valid points, and in a single firewall environment, you are observing good practice.
Hmmm... I don't see how my arguments would not hold in a scenario of multiple firewalls. My latest project was one in which we used several firewall entities (from two to five, depends on one's definition) and we posted the web server behind the first layer-3/4 ("stateful packet"?) filter. If we declare it doomed to fail, why not put it as far away as possible?
Please note: in some instances, companies establish completely seperate networks for 'publishing' machines such as www, mail, etc. and for 'sensitive' machines. In this model, because there is a completely seperate network for the public machines (sometimes at a different physical location, different service provider, etc.) you can use one firewall and put all of the machines behind it because, presumably, all of these machines have the same level of sensitivity.
Sorry, but I have the strong tendency to seperate machines from each other. Each of those machines reselbles a different risk: The Web server might be broken because of some funny OS/Library/Web-Server interaction (1). The mail server because of some buffer overflow. I can't put them on the same network because I have to know if one behaves "different". If a chain breaks at the weakest link, just don't use a chain. Right?
Alternatively you can use multiple firewalls as I was presuming.
Hmmm... I have a hard time explaining the end users why every connection to the internet has to go through four or more TCP/IP stacks. Forgetting this unrelated thought, I wonder: Putting the web server on another network (I can not fit the mail server in this picture) just moves the problem and -- IMHO -- helps little in terms of security. Or am I missing something? Regards, andreas. (1) Acronym of the day: (A)nother (S)ervice (P)ack. ASP. -- Work: http://www.helupie.de haug () helupie de phone +49 6081 9162-60 fax -80 Home: http://www.this.net me () this net phone +49 7127 9724-54 fax -54 Note: Views expressed above might not reflect those of the people who pay me
Current thread:
- RE: Reverse Proxy on DMZ - 1 FW, 2 FW John Kozubik (Jan 20)
- RE: Reverse Proxy on DMZ - 1 FW, 2 FW Andreas Haug (Jan 20)