This might be a bit back to basics... sorry if I'm "teaching my granny
how to suck eggs".
> I have questions as to the placement of masquerading rules with respect to
> a DMZ. The question is based on a DMZ using in internal and external
> firewall. I know that _ALL_ traffic leaving the external firewall to hosts
> on the Internet should/must be masqueraded. Does the same hold true for
> the internal firewall? If so, it would seem that the DMZ becomes,
> basically, an invisible network (as far as the Internet and internal
> networks are concerned).
Quite the contrary. The DMZ isn't invisible, it is a place where you put
servers/facilities of less trust, and generally those which _have_ to be
accessed from the outside world (Mail, DNS, Web spring to mind, but any
service that wants to be accessed from the outside wall). By placing
this in the DMZ you increase the level of trust in the integrity of the
information you have on those machines. However because they can be seen
from the outside world they are more liable to attack than something
behind your second firewall.
> Should the hosts on the DMZ be able to see the hosts on the internal
> network? Should the hosts on the internal network be able to see the hosts
> on the DMZ?
That's really dependant on your security policy, but if a host on your
DMZ is comprimised, then that route into the internal network (which is
going to more than likely be partially visible in something stored on
that host, like a database connect string or whatever), will be the next
point of attack... if the person concerned is looking to get at your
internal data, depending on your attacker they may be happy to hit your
webserver and let it burn... but then they may still have access to your
other network info.
As far as seeing out to the DMZ, well generally you'd want to see what
was in your DMZ, I can't see the point in having a network which is
connected to two others but "invisible". In certain cases an 'empty' DMZ
might be thought of as invisible, but it's really just means you have
two levels of filtering of incomming traffic. The external machine can
be used as a main firewall, and watching this will let you know of some
attempted attacks (using port monitors etc) and to keep and eye on the
internal firewall being hit.
One reason of using NAT onto an internal network, for instance, is to
make the architecture of your network less transparent to an external
attacker, so this would mean that your internal network is more
'invisible' than a DMZ, which should use 'real' internet address space.
... yada yada yada yada. Hope this helps.
d.
--
Dorian Moore ..................................... Technical Director
Kleber Design Limited ......................... http://www.kleber.net
"View the source, Luke"
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
