Security Basics mailing list archives
RE: Firewall Implementation Strategy ?
From: "Hayden Searle" <hayden.searle () safecom co nz>
Date: Fri, 15 Oct 2004 18:47:08 +1300
Hi Vijay A lot of this depends on the resource you have available and what you are wanting to spend. A reasonable way of doing it is having a SPI firewall on the outside like Checkpoint FW1 NG with AI. Create rules to only allow inbound traffic to your DMZ or through a VPN (if you have or want one) and NAT everything at that point to an internal address. In front of the DMZ you could have an ISA server (If you use MS IIS and Exchange) to do the application layer filtering of the actual URL's and the SMTP commands, before passing them on to the server in the DMZ. Another option is using the AI feature of the checkpoint firewall to filter the http and smtp commands along with other filters. In which case you can easily use the public IP's on the DMZ boxes, without NATs on the firewall. Like I said though it depends on the size of the company and what they are prepared to spend, but that a couple of ideas anyway. Hayden searle -----Original Message----- From: Vijay Kumar [mailto:vijay () calsoftinc com] Sent: Wednesday, 13 October 2004 11:23 p.m. To: Security Basics Subject: Firewall Implementation Strategy ? Hello, Currently we are havig a software firewall and the DMZ is in another Private Subnet. We use Port Forwarding from the software firewall to access the DMZ servers from outside. I have seen other implementations of Firewall where the DMZ is in a seperate subnet with Public IP Address.
From the Firewall we allow only access to certain ports.
Can someone tell me the Pros and Cons of each of this implementation ? I need to know the different types of firewall implementation so that I can redesign the new implementation. Where can I get some good guidelines for the same ? Regards, Vijay. ##################################################################################### Important: This electronic message and attachments (if any) are confidential and may be legally privileged. If you are not the intended recipient do not copy, disclose or use the contents in any way. Please let us know by return e-mail immediately and then destroy this message. #####################################################################################
Current thread:
- Firewall Implementation Strategy ? Vijay Kumar (Oct 13)
- <Possible follow-ups>
- RE: Firewall Implementation Strategy ? Hayden Searle (Oct 15)
- RE: Firewall Implementation Strategy ? Alexis Villagra - VILSOL LatinAmerica (Oct 18)