At 04:56 PM 7/12/2001 -0700, Alvin Oga wrote:
>hi ...
>
>just my $0.02 worth...
>
> >
> > Would it be better to put it out on the DMZ or to run two DMZ's?
> >
> > I'd think it would be better to run two firewalls. Something like:
> >
> > Router/Firewall
> > |
> > DMZ
> > |
> > Firewall ---- ADSL machine -- Router/Firewall -- ADSL
> > |
> > Internal Network
>
>dmz machines are endpoints... it shouldn't pass traffic to internal
> lans and firewalls
>
>
>If time and cost and maintenance and skills was more of an issue ...
>I'd propose a simpler solution for some personal networks
>
>
> internet
> |
> |
>adsl router/firewall ( hardware version ? )
> |
> f i r e w a l l ( ipchians etc )
> | |
> dmz internal lan
>192.168.x 10.0.1.x
>
>internal lan should NOT allow incoming traffic to the internal lan
I have seen diagrams like that, but they make me a bit nervous
having only a single point of failure to compromise the internal
network.
But you are right in one respect. Maybe my drawing should have been
something like this instead:
Router/Firewall -- DMZ
|
Firewall ---- ADSL machine -- Router/Firewall -- ADSL
|
Internal Network
My understanding of a DMZ is that it is usually one or more
computers that are hardened and somewhat protected by a
firewall or a router with ACL lists. I really didn't mean that the
traffic from the internal network to the internet would pass through
each computer in the DMZ. Just that the company firewall itself
is in the DMZ.
Also, in the message that started this, I had the impression that
they actually have two internet connections. One through their
ISP for general use and an ADSL connection for limited use.
>yes... if they hack into the firewall you're hosed... but you're
>hosed anyway if they get into any firewall... cause if they get into
>one... they can probably get into the 2nd one that is also misconfigured???
Probably. But hopefully by the time they get into one and find out
there is another to ge through, they will have been discovered and
actions will be started to keep them from going further.
It is clear that the company LAN requires more serious protection
than does the DMZ. Ideally, the computers in the DMZ should be
hardened (it would take a real lunatics put a Windows 95 or 98
computer there).
In reality, the demands for protection of the DMZ are much different
from the demands for protection of the internal network. If you use
a firewall to protect the DMZ instead of ACLs on a router, why not
use one that is tuned to the job. And for the internal firewall, use
one tuned to that job.
If you just use one firewall for both, there would seem to be a greater
chance of misapplying the rules for one side to also apply to the
other. It would be easy to accidentally permit incoming traffic on
to the DMZ and the internal network when you really meant to just
limit traffic to the DMZ.
Of course, a large company might reasonably have a large number of
firewalls with individual departments in the company firewalled from
the rest of the company.
Eric Johnson
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
