Re: Firewall and DMZ topology

[Erik Vincent <evincent () ndexsystems com>]

Not realy, becouse they are configured differently.

The outer Firewall let traffic from the internet inside the DMZ ie: 
SMTP, HTTP etc...)

But the Inner firewall wont accept any connection from the DMZ to LAN,

ie:  internet <-> Outer Firewall <-> DMZ <- Inner Firewall <- LAN

The Inner firewall will be configured to acept traffic only from the LAN.

So all NEW connection from the DMZ to the LAN are DROP/REFUSE.
This is not the case with the Outer Firewall ie : must forward SMTP, 
HTTP etc..

If your are running no services on the Inner Firewall (not event sshd) 
and use a read-only media (read LRP).
In my point of view, it is a good setup...(On course if you have the 
money to afford CISCO or other thing may be different...)




Zach Crowell wrote:

> Erik Vincent wrote:
>
> > I think there is a major difference between:
> >
> >               1:    internet --> Outer Firewall --> DMZ --> Inner 
> > Firewall --> LAN
> >                            If your Outer Firewall is crack, only the 
> > DMZ computer will be unprotected
> >                             but the LAN portion still protected.
>
>
> Under what conditions would these firewalls be configured any 
> differently from a vulnerability-assessment view point?  i.e., if 
> someone was able to crack the outer firewall, is it not likely they 
> would crack the inner firewall as well?
>
> Zach



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
    
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
         
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------