Re: Defense in Depth

[Kenneth R Swain II <ken () kenswain com>]

Let me see if I can clear something up.

----------
|           |
|           |  Internet facing firewall
---------

DMZ

----------
|           |
|           |   Internal firewall
---------

As you can see the DMZ is the area  in between the two firewalls. You 
really do not want any servers receiving service requests on your most 
protected side(behind the internal firewall). You are doing the right 
thing by keeping them where they are.

Defense in depth is something that takes layers.  You have take one of 
the steps with separating what is receiving requests from the internet 
from your LAN. You now need to finish out the package. You need AV, 
patch management, host based IDS, Network IDS, and auditing just to 
name a few. Defense in depth is hard to achieve for a home user since 
it means computers that are dedicated to things like IDS. Once you have 
these in place you also need configure and tune them. There is no magic 
bullet and it will take some work. Good luck.

-Ken

On Oct 27, 2004, at 3:33 AM, Ronish Mehta wrote:

> Hi List,
>
> I have a network setup with 2 firewalls
>
> There is a DMZ on the Internet facing firewall
>
> The servers on this DMZ contains servers that host
> both "http" and "https" pages
>
> There are no DMZ on the second firewall
>
> From what I understand, this setup is not providing
> defense in depth, at least not full defense in depth
>
> I wanted to create a DMZ on the second firewall, and
> move servers that host "HTTPS" pages to this new DMZ
>
> Would this new setup improve the security of the
> network?
>
> Thanks for comments,
>
> Ronish
>
>
>         
>                 
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - You care about security. So do we.
> http://promotions.yahoo.com/new_mail
Ken Swain
mail: ken () kenswain com
im: aim:krswain190
web: kenswain.com
"/dev/geek"

Attachment: smime.p7s
Description: