Why limit yourself to 2 interfaces?
What I believe the most common configuration is to have a third (or additional)
leg on the firewall that houses your "untrustworthy" hosts.
This way they are isolated from the internet (and thus can be considered
semi-protected), and also isolated from the internal systems.
Regards,
Crispin Harris
Aza Goudriaan <[EMAIL PROTECTED]> on 03/05/2000 16:04:55
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
cc: (bcc: Crispin Harris/GECITS-AP)
Subject: Where to place public servers
In a 'security improvement module' about deploying firewalls
(http://www.sei.cmu.edu/pub/documents/sims/pdf/sim008.pdf or in HTML:
http://www.cert.org/security-improvement/modules/m08.html), several
different architectures for placing a firewall are given. In this document
they are speaking about a untrustworthy host, which is a host that isn't
protected by the firewall. Therefore, hosts on the private network (behind
the firewall) can place only limited trust in it.
I think that kind of hosts are web servers, mail servers and ftp servers.
The people who have written this document, advise this architecture when
using a single firewall:
priv. network --- firewall ----- untrustw. host ----- internet
They motivate their choice with the statement that when the untrustw. host
has been compromised, intruders don't have access to your network. I agree,
but your public host isn't really secured. In my opinion it is better to
place the public host behind the firewall and then create rules to access
that system from internet (static NAT, e.g.), and / or use a reverse proxy.
What is your opinion about it?
TIA.
Kind regards,
Aza Goudriaan.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
