Firewall Wizards mailing list archives
Re: Why is this secure??
From: Lars Kronfält <lakr () bofh maldata se>
Date: Thu, 25 Nov 1999 09:24:21 +0100 (MET)
This might not be the true answer to your questions, but I wanted to help you a little bit with the config. IMHO you are on the right track. Using a DMZ and a proxy firewall is ( IMHO ), the most secure thing. For the configuration, you might want to take a look at: http://www.tis.com/support/maincf.html Look for 'transparency' and 'Service network AKA the third interface'. This info is quite old, but the way of thinking with Gauntlet has not defered that much, you can't do it like this, but you might understand the way of thinking. BTW, I hope that you are using Gauntlet for Unix, and not Gauntlet for NT. Even if it's the same name and company, it is not the same product. Upgrade to version 5.5 for Unix ( it might not be an official release, but it's there, trust me ). You do want to use RFC 1918 adresses in the DMZ, and only use NAT on the outside interface. ( I hope that you use RFC 1918 on the inside ) Then you put up plug-gw between the inside machine and the webserver on the DMZ ( the plug-pdg got a small memory leak, might need to be restarted after a month or so, depending on load. And I don't think that you will experience problem using a -gw between inside and DMZ. ). Think about the handoff adresses, probably won't have to bind adressess, but I'm not sure. Then config a plug-gw on the outside network, doing handoff to the webserver. ( You use the same service, but for different networks, interfaces, and adresses ). Think about that Gauntlet must know the routes to the machine on the inside, and the DMZ. The machines doesn't. They throw the packets to default gw ( Gauntlet ) and the firwall control where to put them. Where you want to put the routing in Gauntlet is up to you, this could be done in a few ways. Hope this helps. And if I get some time over today ( tomorrow .... ) I might try the answer your questions. // Lars ( The opinion in the letter is mine, not to be confused with that of my company ) On Tue, 23 Nov 1999, Steve Meeters wrote:
I'm not a security expert but have been asked to find a way to allow customers on the Internet to look up parts information on a server behind our firewall. The server has a lot of business applications on it and can't be put in front of the firewall. We are using a Gauntlet firewall. I have been reading and following discussions on this list for a while and have come up with a plan to put an external web server on the third leg of the firewall and have customers go to this web server, fill out a request form and submit it. Using cgi scripting, the web server will send the request through the firewall to the internal server which will then send the requested information back to the web server, which will forward it to the customer. Like I said, I'm not an expert at this and have come up with this plan based on what I've read here and in some books. What I need to know is why is this more secure than letting Internet traffic through the firewall directly to a web server on this internal system? Putting up an external server is going to cost more, we'll need another system, web software, and another interface for the firewall. What threats am I specifically opening our network up to by creating a rule that allows all traffic to the internal server? I read this is a bad idea but why can't the firewall protect against this? Assume for the sake of argument the firewall is secure. What protection does this type firewall still provide to our network if this rule is in place? At what OSI levels? In my plan a rule will be created that will only allow traffic coming from the external web server to pass through the firewall to the internal server. This narrows the field from everyone on the Internet to just the one server. How does this help secure the internal network? If the external server is compromised doesn't the attacker now have a open path to the internal server, the same as if the external server wasn't there at all? I know these questions sound elementary to you but I drew the short straw on this one. I think I am heading towards a relatively secure solution, but I need to justify the $$$. Thanks for your help Steve Meeters meeters () excite com ________________________________________________________________ Get FREE voicemail, fax and email at http://voicemail.excite.com Talk online at http://voicechat.excite.com
Current thread:
- Why is this secure?? Steve Meeters (Nov 24)
- Re: Why is this secure?? Lars Kronfält (Nov 28)
- Re: Why is this secure?? Frank Heinzius (Nov 29)
- Re: Why is this secure?? chuck (Nov 29)
- Re: Why is this secure?? Mikael Olsson (Nov 29)