Security Basics mailing list archives

Re: Firewall and DMZ topology

From: "Chris Berry" <compjma () hotmail com>
Date: Wed, 11 Jun 2003 11:54:33 -0700

From: "Steve Bremer" <steveb () nebcoinc com>
> In theory yes, however, if your administration isn't perfect, it would
> actually LOWER your security stance.  Kind of goes against the KISS
> principal unless you have enough staff/time to keep a close eye on it.
>  Guess it all depends on your size.

True, but I figure that's what I'm paid for ;-)  Like you said, it goes
back to administration.  What is complex for one person, may be
easy for another.

I was thinking more along the lines of Linux on one firewall and
OpenBSD on the other.  Knowing one version of *nix, usually makes
it easier to use/configure another.  However, I could see where
using a combination like Cisco PIX + MS ISA  or even Linux + MS
ISA would require a broader skill set to administer properly than two
versions of *nix.

Yes, the linux/bsd combo would be easier to administer because they're moresimiliar, of course that also means they're more likely to be vulnerable tothe same exploit, though less than two boxes of the same type. Dependsgreatly on your manpower resources and experience. I know many ITdepartments these days are critically understaffed, and keeping thingssimple can help. If however, you have sufficient time/staff, a two firewallsetup is marginally more secure than a tri-homed firewall, more so if youhave IDS sensors at exterior, dmz, and interior, and the time to monitorthem.


Chris Berry
compjma () hotmail com
Systems Administrator
JM Associates

"Within every man beats a heart of darkness." --The Shadow

_________________________________________________________________

MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.http://join.msn.com/?page=features/virus



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in

about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm

----------------------------------------------------------------------------

Current thread:

Re: nmap for windows, (continued)
- - - Re: nmap for windows Charles Funderburk (Jun 12)
    - Re: nmap for windows Dan Tesch (Jun 12)
    - Re: nmap for windows Scott Bowlus (Jun 12)
    - Re: nmap for windows ~Kevin Davis³ (Jun 12)
    - Re: nmap for windows Vic Parat (NSS) (Jun 12)
    - RE: nmap for windows Zekeriya Eskiocak (Jun 12)
    - Re: nmap for windows Chris Gioran (Jun 12)
    - Re: nmap for windows 59cobalt (Jun 12)
- RE: Firewall and DMZ topology David J. Jackson (Jun 11)
- RE: Firewall and DMZ topology Storment, Brandon (Jun 11)
- Re: Firewall and DMZ topology Chris Berry (Jun 11)
  - IDS question [was: Re: Firewall and DMZ topology] Steve Bremer (Jun 12)
- RE: Firewall and DMZ topology Mann, Bobby (Jun 11)
- RE: Firewall and DMZ topology Chris Berry (Jun 11)
- RE: Firewall and DMZ topology John Brightwell (Jun 12)
- RE: Firewall and DMZ topology Chris Berry (Jun 21)