Security Basics mailing list archives
Re: Basic Network Configuration
From: "Anders Reed-Mohn" <anders_rm () utepils com>
Date: Wed, 15 Oct 2003 09:53:33 +0200
Okay I know this is truly a basic question, but this is after all the
"security-BASICS" list! Well, that's what it's here for. However, it is a good idea to search list archives before posting. You will find the answer to your question if you google a bit .. looking for the archives of the SANS Intrusions list, as well as security related newsgroups articles. Also, check the archive for this list, though I haven't searched it for this particular question myself. I am pretty sure you'll find it. Anyway.. to the question:
It seems like using the firewall to do this makes sense, but I'd appreciate
some external confirmation
on that.
It makes a lot of sense. But then, so does the dual-firewall solution. There are no major drawbacks to any of the two, so generallt it boils down to a matter if your taste. How do dual firewalls increase security? 1. an attacker that aims for the DMZ alone, and not the internal network, will hopefully only crack the first firewall, and leave the second alone. Or, more realistically, he will leave it alone long enough for you to detect there is a problem, and engage some countermeasure. This is NOT really any increase in security (note the word "hopefully" above..), more a flavour of "security by obscurity", as the stuff you really want to protect is on your internal network, not in the DMZ. 2. Only if the two firewalls are of different types/makes will security be enhanced. If the two firewalls can be broken in the same way, and just as easily, then there is no real purpose in the second wall. Why the 3-NIC model? Well, since most companies will employ dual firewalls of the same type, you can just as well simplify your design, and have only one box to maintain. This gives you the same security, but with the added benefit of a simpler config (only one ruleset to maintain) and lower HW-cost. Also, there are fewer pieces of HW, and thus less parts that can fail. Ease of maintenance is imperative in security. The downside is that if something breaks, say some HW needs replacement, you will be cutting off the network link for both DMZ and internal while changing parts. In the dual-FW setting, you can take the internal network off line, but still provide the DMZ services to external networks.
It seems to me that anything that requires access from outside the network
(Ex. DNS servers, Mail
servers, demo servers, etc.) should go in the DMZ. True?
In theory, yes. And this is the goal you should aim for. But I guarantee it's not always that simple in practice. cheers, Anders :) --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Basic Network Configuration Smith, KC (Oct 14)
- Re: Basic Network Configuration Neal K. Groothuis (Oct 15)
- RE: Basic Network Configuration Stuart (Oct 15)
- Re: Basic Network Configuration cc (Oct 15)
- Re: Basic Network Configuration Anders Reed-Mohn (Oct 15)
- Re: Basic Network Configuration DRAx (Oct 15)
- Re: Basic Network Configuration Ansgar -59cobalt- Wiechers (Oct 15)
- Re: Basic Network Configuration Valter Santos (Oct 15)
- RE: Basic Network Configuration David Gillett (Oct 15)
- Re: Basic Network Configuration DRAx (Oct 16)
- RE: Basic Network Configuration David Gillett (Oct 16)
- Re: Basic Network Configuration DRAx (Oct 16)
- Re: Basic Network Configuration DRAx (Oct 16)
- Re: Basic Network Configuration Ansgar -59cobalt- Wiechers (Oct 16)
- RE: Basic Network Configuration David Gillett (Oct 16)
- Re: Basic Network Configuration 'Ansgar -59cobalt- Wiechers' (Oct 16)