Firewall Wizards mailing list archives
RE: NAT
From: sean.kelly () lanston com
Date: Wed, 28 Jul 1999 13:23:00 -0400
From: Tommy Ward [mailto:tommy () securify com] Sean is correct in that putting a public access server on the trusted network inside the firewall is not a good idea. If this server gets compromised, you don't want it to be on the inside of the firewall where the attacker can easily get to your private network resources. That is why we have service networks. I believe all of the commercial firewalls support at least a 3rd. interface
An excellent point, and a clarification that I think was necessary. We're actually doing just that here for our operations site. However, as you pointed out, the webserver is in a separate physical network than the internal/trusted network, though both are protected by the firewall (on different interfaces). This design certainly makes the firewall work a bit harder if it's a high-traffic site but also provides added security for the webserver without compromising the integrity of the internal network. Sean