At 10:39 06/09/00 +0200, Mikael Olsson wrote:
>[snip]
>So, if you're doing remote management via telnet or something
>else that isn't encrypted, you're basically screwed.
There is also the problem of the ISP network. If some bad guy works for
the ISP or managed to penetrate the ISP network, then he can sniff the
packets. So the risk exists.
I however agree wit Ben that the problem is generally over-estimated.
(Note how I manage to agree with the two in this message!).
So while it is an important problem, it is not necessarily more
a problem than mail viruses. It happens that the word "spoofing" seems
magical compared to "virus".
Note that data encryption is not necessary in some situations. If
confidentialty is not a concern, a replay-protected authentication scheme
is ok. and if don't mind my security policy is known, then I don't need
confidentiality to administer my FW.
But this seems to be another subject, isn't it?
>By the way, this is why I don't like "inline" DMZs. I want mine
>off of a third leg of the firewall. :)
I ultimately prefer using the inline scheme as you showed, with an additionnal
FW in front of the DMZ. it has the advantage that you cited, plus the fact that
flows aren't mixed (which is better for performances as well as simplifying
security
management). But this is only worth consideration if the aditionnal price
is not a problem.
regards,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
