Security Basics mailing list archives

Re: Defense in Depth

From: "Spencer Hall" <SHALL () stvincentshealth com>
Date: Sun, 31 Oct 2004 09:23:23 -0500

Two firewall structure is just another form of securing your resources.  In most cases it has very little to do with 
confidence in firewall capabilities.

I would not move the https pages to the second firewall - I would use the extranet DMZ for WAN connections to partners, 
VPN and other trusted sources.  I would also put highly secure systems that require significant access to internal host 
resources and major lockdown my rules to these resources.

Ravi Kumar <ravivsn () rocsys com> 10/30/04 02:36 AM >>>

Hi Ronsih,
  Why do you prefer two firewalls? Does that mean are you not confident 
enough with the first firewall capabilities!!

-Ravi

Ronish Mehta wrote:

Hi List,

I have a network setup with 2 firewalls

There is a DMZ on the Internet facing firewall

The servers on this DMZ contains servers that host
both "http" and "https" pages

There are no DMZ on the second firewall

From what I understand, this setup is not providing

defense in depth, at least not full defense in depth

I wanted to create a DMZ on the second firewall, and
move servers that host "HTTPS" pages to this new DMZ

Would this new setup improve the security of the
network?

Thanks for comments,

Ronish


      
              
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail




-----------------------------------------
NOTICE: This message is confidential, intended for the named recipient(s)
and may contain information that is (i) proprietary to the sender, and/or,
(ii) privileged, confidential and/or otherwise exempt from disclosure under
applicable Florida and federal law, including, but not limited to, privacy
standards imposed pursuant to the Federal Health Insurance Portability and
Accountability Act of 1996 ("HIPAA"). Receipt by anyone other than the
named recipients(s) is not a waiver of any applicable privilege. If you are
not the intended recipient, please contact the sender by reply e-mail and
destroy all copies of the original message. Thank you in advance for your
compliance with this notice.

Current thread:

Re: Defense in Depth Daniel Miessler (Nov 01)
- <Possible follow-ups>
- RE: Defense in Depth Randy Golly (Nov 01)
- Re: Defense in Depth Naren (Nov 01)
  - Re: Defense in Depth Ghaith Nasrawi (Nov 03)
- Re: Defense in Depth Javier Blanque (Nov 01)
- Re: Defense in Depth Spencer Hall (Nov 02)
- Re: Defense in Depth Miles Stevenson (Nov 02)
- Re: Defense in Depth sf_mail_sbm (Nov 03)
- RE: Defense in Depth Randy Golly (Nov 04)
  - RE: Defense in Depth Ghaith Nasrawi (Nov 08)