RE: Firewall and DMZ topology

["David Ellis" <David.Ellis () unicam com>]

OK, everyone, Use a firewall with three network cards in it, one going
to DMZ, one going to lan, and one going to internet, allow traffic such
as smtp to dmz, don't allow any traffic to internally. Store all your
smtp messages in the dmz. Use an internal program on the lan to go out
and grab the mail from the dmz and reroute it internally to your lan
mailsystem. 

That's all case closed. Noone will be able to sniff the dmz ports for
passwords if everything is locked up and hardened down.
In my experience of consulting and being on site, the majority of
vulnerabilities in firewalls is two firewalls and misconfiguration. The
configuration that Zach stated below can be accomplished by one
firewall. All it is is different legs on the firewall. PS use a stateful
packet inspection firewall only! That way it keeps all the connections
in a state table
Dave

-----Original Message-----
From: Erik Vincent [mailto:evincent () ndexsystems com] 
Sent: Tuesday, June 10, 2003 2:04 PM
To: Zach Crowell
Cc: Chris Berry; security-basics () securityfocus com

Not realy, becouse they are configured differently.

The outer Firewall let traffic from the internet inside the DMZ ie: 
SMTP, HTTP etc...)

But the Inner firewall wont accept any connection from the DMZ to LAN,

ie:  internet <-> Outer Firewall <-> DMZ <- Inner Firewall <- LAN

The Inner firewall will be configured to acept traffic only from the
LAN.

So all NEW connection from the DMZ to the LAN are DROP/REFUSE.
This is not the case with the Outer Firewall ie : must forward SMTP, 
HTTP etc..

If your are running no services on the Inner Firewall (not event sshd) 
 and use a read-only media (read LRP).
In my point of view, it is a good setup...(On course if you have the 
money to afford CISCO or other thing may be different...)




Zach Crowell wrote:

> Erik Vincent wrote:
>
> > I think there is a major difference between:
> >
> >               1:    internet --> Outer Firewall --> DMZ --> Inner 
> > Firewall --> LAN
> >                            If your Outer Firewall is crack, only the 
> > DMZ computer will be unprotected
> >                             but the LAN portion still protected.
>
>
> Under what conditions would these firewalls be configured any 
> differently from a vulnerability-assessment view point?  i.e., if 
> someone was able to crack the outer firewall, is it not likely they 
> would crack the inner firewall as well?
>
> Zach



------------------------------------------------------------------------
---
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access
in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
------------------------------------------------------------------------
----




**************************************************************************************************
** eSafe-portsmouth scanned this email for viruses, vandals and malicious content **
**************************************************************************************************


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------