Firewall Wizards mailing list archives
Re: DMZ best practices
From: Bennett Todd <bet () mordor net>
Date: Tue, 19 Jan 1999 18:04:51 +0000
1999-01-14-20:54:37 Perry, David:
Some firewall implementations allow for an additional interface to be used as a DMZ. Does implementing a DMZ from additional firewall interfaces constitute a best practice?
Your use of the phrase "best practice" makes it sound like you are looking for the kind of accepted practices that rule other disciplines like e.g. accounting. I'm sure once computer security has been around for a few millenia, like accounting has, there will be useful guidelines for GASP (Generally Accepted Security Practices:-). But for the time being, with the problem set and the solution set both mutating out of recognizability on a timescale of months or weeks, the best you can hope for is an informed analysis of each individual case. Regarding the specific question asked, the answer will depend on details not yet specified. So far I've been able to build my DMZ servers on nice secure OSes --- OSes for which it's very easy to strip or filter all unwanted higher-level services and audit to confirm that it's doing what you told it, and for which there are active developer communities maintaining the low-level IP code and so keeping up to date with the steady rain of new low-level attacks. Thus my DMZ hosts are no weaker than the firewall bastion host itself, and so I put the DMZ outside of the bastion --- accessible to the internet directly through the external screening router, which just imposes anti-IPaddr-spoofing rules and port screening. If on the other hand you had some mandate to place a public server on some poor OS that can't defend itself, then rigging it off a separate interface from your bastion host firewall may well be a good idea. -Bennett
Current thread:
- DMZ best practices Perry, David (Jan 15)
- Re: DMZ best practices Bennett Todd (Jan 19)
- <Possible follow-ups>
- Re: DMZ best practices John Kozubik (Jan 18)
- Re: DMZ best practices Jeromie Jackson (Jan 19)
- Re: DMZ best practices Amos Hayes (Jan 20)
- Re: DMZ best practices Dominique Brezinski (Jan 19)
- Re: DMZ best practices Jeromie Jackson (Jan 19)
- Re: DMZ best practices Bill_Royds (Jan 19)
- RE: DMZ best practices Andreas Haug (Jan 20)
- Re: DMZ best practices John Kozubik (Jan 20)
- Re: DMZ best practices Security (Jan 20)
- Re: DMZ best practices Dominique Brezinski (Jan 21)
- RE: DMZ best practices Bill_Royds (Jan 21)
(Thread continues...)