Re: Proxy & Firewall Implementation

["florian leibert" <flo () leibert de>]

John,

you should place the services that need to be accessed from the outside
inside a DeMilitarized Zone, because if someone gains access to one of the
publicly available services, he would be already inside your network and
could easily bypass your firewall to attack other systems.

since it is usually easier to break into public services (mail, dns, http),
the DMZ allows you to keep public / private services separated.

the proxy should be protected by the firewall - of course you fw has to be
properly secured. you should probably buy the O'Reilly - Firewalls, it
explains the different flavours of firewalls and gives you a good overview.

(if it's a small-mid size network, i would probably go for a packetfilter
based on linux with something like portsentry...)


-- Florian Leibert

----- Original Message ----- 
From: "John" <naverxp () yahoo com sg>
To: <security-basics () securityfocus com>
Sent: Thursday, January 13, 2005 2:04 AM
Subject: Proxy & Firewall Implementation


> Hi
>
> I'm a fresh graduate in System Administrator field. Recently, with much
> of luck, i was recommended to a company to implement a firewall system
> to their network infrastructure. I hope to pick some experience from
> this forum as to how people in here might consider different
> circumstances when placing their proxy server inside a protected network
> (behind the firwall) or before the firewall. Would i need two firewalls?
> (i'm considering the Cisco FW, and CyberGuard FW).
>
> During my research, i found a documentation written by a blackhat whom
> suggested to allocate DMZ most of my services (httpd, mail, etc) outside
> the internal network and make redundancies everynight. My 2nd question,
> why did he suggested that? why expose my services outside the network
> where my information are Live and exposed to the risk of being
compromised.
> John