Firewall Wizards mailing list archives
RE: DMZ best practices
From: "Andreas Haug" <ajh () this net>
Date: Wed, 20 Jan 1999 07:45:13 +0100
Someone, Bill_Royds () pch gc ca or John Kozubik (I'm not sure) wrote:
The segment behind a third NIC that carries servers that one runs but may not trust (because they are open to public) could be called the dirty segment. or server segment. Vendors call it the DMZ because early firewalls with only 2 nics put servers on the true DMZ.
I strongly protest against calling firewalls (ALFs) with only two nics "early firewalls". You can get away with calling non-multistaged firewalls "early firewalls", but we would need to define the term multistaged firewall first. Relating to the whole 2-or-3-nics question, I would like to ask this group of wizards for comments on the following: Acronyms: IN Internet Ex Firewall Entity x CN Corporate Network (protection needed) WS Webserver X some other "firewall" or not (other servers ommited) Setup A: IN <----> E1 <----> E2 <-----> X <---> CN ! WS The Web server is located on a "dirty" network Setup B: IN <----> E1 <-+--> E2 <-----> X <---> CN ! WS The Web server is located in the first DMZ Consider this: (1) I am trying to make the WS resist against attacks below layer 7 (land, boink, teardrop, ...) (1b) If (1) does not hold, there is a chance that the "new" attack works against E2, too. (2) E2 is not able to prevent every attack at layer 7 and above (3) E2 is put at risk by the traffic flowing through it (buffer overflow in proxy)
One does need a segment that allows servers to be protected by direct attacks but would also be restricted in access to internal use.
How about: Compare the risk of loosing the web server to the risk of having a firewall broken? Regards, andreas. -- Work: http://www.helupie.de haug () helupie de phone +49 6081 9162-60 fax -80 Home: http://www.this.net me () this net phone +49 7127 9724-54 fax -54 Note: Views expressed above might not reflect those of the people who pay me
Current thread:
- DMZ best practices Perry, David (Jan 15)
- Re: DMZ best practices Bennett Todd (Jan 19)
- <Possible follow-ups>
- Re: DMZ best practices John Kozubik (Jan 18)
- Re: DMZ best practices Jeromie Jackson (Jan 19)
- Re: DMZ best practices Amos Hayes (Jan 20)
- Re: DMZ best practices Dominique Brezinski (Jan 19)
- Re: DMZ best practices Jeromie Jackson (Jan 19)
- Re: DMZ best practices Bill_Royds (Jan 19)
- RE: DMZ best practices Andreas Haug (Jan 20)
- Re: DMZ best practices John Kozubik (Jan 20)
- Re: DMZ best practices Security (Jan 20)
- Re: DMZ best practices Dominique Brezinski (Jan 21)
- RE: DMZ best practices Bill_Royds (Jan 21)
- RE: DMZ best practices Andreas Haug (Jan 26)
- Re: RE: DMZ best practices Robert MACDONALD (Jan 21)
- Re: RE: DMZ best practices Joseph S D Yao (Jan 26)
- RE: DMZ best practices Security (Jan 26)
- RE: DMZ best practices Dominique Brezinski (Jan 26)
- RE: DMZ best practices David LeBlanc (Jan 27)
(Thread continues...)