Security Basics mailing list archives

RE: Firewall and DMZ topology

From: "Chris Berry" <compjma () hotmail com>
Date: Fri, 20 Jun 2003 12:58:20 -0700

From: NC Agent <NC_Agent () kueppers-familie de>
I'm not sure how a tri-homed firewall can be just as secure as a two
firewall setup.  Consider this:

Hacker is able to penetrate your firewall and "owns" the box.  In a
tri-homed firewall, they now have direct access to your internal
network.  If this had been a two firewall setup, they would have to
compromise the second box as well.  While this may not be an issue as
they were already sucessful in owning one firewall, hopefully you have
your intrusion detection system tuned to a greater degree of sensativity
in your DMZ.  And you will be able to discover this second attempt.

I do think tri-homed firewalls are a good solution, but they are not as
secure as a two firewall solution.

Well, as I said earlier I think this would really only help if you have twodifferent firewalls or they'll both be compromised very quickly. Howeverthis raises the administrative burden enough that in my opinion it wouldactually tend to lower your security at most companies. In theory twoshould be better, but you have to have enough manpower to manage it properlywhich in todays budgetary environment isn't that likely. It also depends onthe complexity of your setup, a large company with a complicated structuremight get more benefit than a small one with a simple structure. More isnot always better, I'd rather stick with KISS in most situations, but that'smostly a matter of opinion.


Chris Berry
compjma () hotmail com
Systems Administrator
JM Associates

"Within every man beats a heart of darkness." --The Shadow

_________________________________________________________________

The new MSN 8: advanced junk mail protection and 2 months FREE*http://join.msn.com/?page=features/junkmail



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in

about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm

----------------------------------------------------------------------------

Current thread:

RE: nmap for windows, (continued)
- - - RE: nmap for windows Zekeriya Eskiocak (Jun 12)
    - Re: nmap for windows Chris Gioran (Jun 12)
    - Re: nmap for windows 59cobalt (Jun 12)
- RE: Firewall and DMZ topology David J. Jackson (Jun 11)
- RE: Firewall and DMZ topology Storment, Brandon (Jun 11)
- Re: Firewall and DMZ topology Chris Berry (Jun 11)
  - IDS question [was: Re: Firewall and DMZ topology] Steve Bremer (Jun 12)
- RE: Firewall and DMZ topology Mann, Bobby (Jun 11)
- RE: Firewall and DMZ topology Chris Berry (Jun 11)
- RE: Firewall and DMZ topology John Brightwell (Jun 12)
- RE: Firewall and DMZ topology Chris Berry (Jun 21)