> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, 15 August 2000 4:51 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Syslog thru Firewall
>
>
> Hi,
>
> The problem as I see it is that you're not just opening up 'SysLog'...
[snip]
>
>
> What I want to do here is set up a second ExtraNet, - a Secure
> Server Net which will host the servers providing services for
> the frontline ExtraNet servers, whether these are for things like
> SysLog or RADIUS or the backends/Databases for the middleware/web
> servers on the Public access ExtraNet.
>
>
> Does anyone have any comments on this approach ?
Sure...first, I have a reputation as a pedant to uphold - I don't think
ExtraNet is the word you want. An "ExtraNet" is a (stupid, marketing) word
to describe an "Intranet" which is extended to external customers and/or
business partners. The word that fits what you're talking about is probably
"DMZ".
You've got an interesting concept. I think there are two main reasons why
this design philosophy isn't very widespread.
Firstly, in many cases the second tier servers you describe _are_ "the
farm". There's no sense protecting anything more than these servers because
they contain huge, valuable lumps of mission critical, saleable data. As
many people as we tell people to only have webservers talk to simple,
read-only databases that run side-channel extracts from the real database
there are a dozen more that go ahead and hook Cold Fusion into the live
Oracle back end.
Secondly, it is often a requirement for internal users to have pretty much
full access to the "service" servers for administration, to add/remove
content, because they're also used live by a bunch of internal apps, because
they're Windows Domain Controllers etc etc etc. Given this requirement, the
divider between the service servers and the rest of the trusted LAN needs to
be so full of holes that it may as well not be there, from a security point
of view.
Having said that, the architecture you propose is valid as long as you don't
run into one of the walls above. I quite like it, actually. The one thing I
would probably do is to hang the second-tier DMZ sideways from the main DMZ
- this loses a teeny bit of security but means that all trusted <-->
external traffic doesn't need to pass through an extra device. I don't do
ASCII art, but imagine the router that separates the DMZ from the trusted
LAN with a third interface and the services network living off there.
Cheers,
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
