At 05:58 PM 7/12/2001 -0500, Ron DuFresne wrote:
>Move that system to the DMZ outside the firewall and network, lockdown the
>services it has opened to the public, consider it a sacrificial lamb, with
>backup images stored for replay. Harden it further with the same tools
>you use for your primary firewall. And then only allow connections from
>within to it to retrieve what you need. Do not allow it to do it's own
>connects inside.
>
>Thanks,
>
>Ron DuFresne
>
>On Fri, 13 Jul 2001, William Bartholomew wrote:
>
> > I have a network with a permanent dial-up connection which I have
> firewalled
> > with a Linux box using IP Chains, Psionic Logcheck, Portsentry and Snort.
> > But one of my machines inside the network has an ADSL connection for large
> > downloads etc., can anyone recommend a personal firewall package that I can
> > install on that machine to protect both it and the other machines
> inside the
> > network?
Would it be better to put it out on the DMZ or to run two DMZ's?
I'd think it would be better to run two firewalls. Something like:
Router/Firewall
|
DMZ
|
Firewall ---- ADSL machine -- Router/Firewall -- ADSL
|
Internal
Network
That way, if a computer in your regular DMZ was compromised, the ADSL machine
would be protected by the company firewall and vice versa.
Furthermore, very restricted access rules could be set down at the
firewalls for access
to the ADSL machine. For example, the Router/Firewall on the ADSL side should
probably block all incoming traffic.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
