Firewall Wizards mailing list archives
Re: DMZ best practices
From: Jeromie Jackson <jeromie () garrison com>
Date: Mon, 18 Jan 1999 23:08:17 -0800
At 04:03 PM 1/16/99 -0800, John Kozubik wrote:
Now, it is possible to put three NICs in your firewall, and then set up a filtering policy between the outside world and machines off of NIC #1, and set up a less stringent (or complete passthrough) filtering policy between the outside world and machines off of NIC #2. This is not exactly a DMZ, but a lot of vendors call it that. This is, at best, a psuedo DMZ, because the machines are still behind the firewall.
I can think of 2 reasons why you would want to hang machines off a third-interface of a firewall, as opposed to off a hub in from of the firewall; 1. Central Audit- If everything has to go across your firewall, there is a centralized audit log. This can be useful in watching what a potential hacker did, for TCP/IP info, etc,etc.. 2. Centralized Access Control- If you put your DMZ hosts outside the firewall, you will need to implement ACLs on the routers, or properly configure all the hosts in order to minimize the number of services you can be attacked on. If you place the machines off the third interface of the firewall, you will have a GUI driven, centralized access control mechanism. Generally firewalls are easier to configure than router ACLs.
Now, what kind of machines would you put in the DMZ? Not many, in my opinion. Mail, news, www, etc. should _always_ be behind a firewall with a security policy in place.
Your web server certainly should NOT be behind your firewall. This would completely compromise the function of the firewall.
I would also put a hub between the router and the firewall - even if you don't connect a data collection machine there. This way, if there is ever an emergency and you need to throw something outside the firewall (during an attack, for instance) you can do so without unplugging the network briefly. Also, you can put in a second or third collection machine without disrupting network traffic.
Agreed.. Jeromie Jackson -CISSP Garrison Technologies 760-633-1843 jeromie () garrison com Web: http://www.garrison.com
Current thread:
- DMZ best practices Perry, David (Jan 15)
- Re: DMZ best practices Bennett Todd (Jan 19)
- <Possible follow-ups>
- Re: DMZ best practices John Kozubik (Jan 18)
- Re: DMZ best practices Jeromie Jackson (Jan 19)
- Re: DMZ best practices Amos Hayes (Jan 20)
- Re: DMZ best practices Dominique Brezinski (Jan 19)
- Re: DMZ best practices Jeromie Jackson (Jan 19)
- Re: DMZ best practices Bill_Royds (Jan 19)
- RE: DMZ best practices Andreas Haug (Jan 20)
- Re: DMZ best practices John Kozubik (Jan 20)
- Re: DMZ best practices Security (Jan 20)
- Re: DMZ best practices Dominique Brezinski (Jan 21)
- RE: DMZ best practices Bill_Royds (Jan 21)
- RE: DMZ best practices Andreas Haug (Jan 26)
- Re: RE: DMZ best practices Robert MACDONALD (Jan 21)
(Thread continues...)