Firewall Wizards mailing list archives

RE: NAT

From: sean.kelly () lanston com
Date: Wed, 28 Jul 1999 13:23:00 -0400

From: Tommy Ward [mailto:tommy () securify com]

Sean is correct in that putting a public access server
on the trusted network inside the firewall is not a good idea. If this
server gets compromised, you don't want it to be on the inside of
the firewall where the attacker can easily get to your private network
resources.   That is why we have service networks. I believe all of 
the commercial firewalls support at least a 3rd. interface


An excellent point, and a clarification that I think was necessary.  We're
actually doing just that here for our operations site.  However, as you
pointed out, the webserver is in a separate physical network than the
internal/trusted network, though both are protected by the firewall (on
different interfaces).  This design certainly makes the firewall work a bit
harder if it's a high-traffic site but also provides added security for the
webserver without compromising the integrity of the internal network.

Sean

Current thread:

NAT Josh Sides (Jul 26)
- Re: NAT Steve George (Jul 27)
- <Possible follow-ups>
- RE: NAT Ben Nagy (Jul 27)
- RE: NAT sean . kelly (Jul 27)
- RE: NAT sean . kelly (Jul 29)
- RE: NAT Tommy Ward (Jul 29)