hi ya eric
good... as long as your internal lan/fw is not off of the
dmz... guess we're back in sync... not that it matters..
have fun fw'ing
alvin
http://www.Linux-Sec.net/FW
On Thu, 12 Jul 2001, Eric Johnson wrote:
> At 04:56 PM 7/12/2001 -0700, Alvin Oga wrote:
>
> >hi ...
> >
> >just my $0.02 worth...
> >
> > >
> > > Would it be better to put it out on the DMZ or to run two DMZ's?
> > >
> > > I'd think it would be better to run two firewalls. Something like:
> > >
> > > Router/Firewall
> > > |
> > > DMZ
> > > |
> > > Firewall ---- ADSL machine -- Router/Firewall -- ADSL
> > > |
> > > Internal Network
> >
> >dmz machines are endpoints... it shouldn't pass traffic to internal
> > lans and firewalls
> >
> >
> >If time and cost and maintenance and skills was more of an issue ...
> >I'd propose a simpler solution for some personal networks
> >
> >
> > internet
> > |
> > |
> >adsl router/firewall ( hardware version ? )
> > |
> > f i r e w a l l ( ipchians etc )
> > | |
> > dmz internal lan
> >192.168.x 10.0.1.x
> >
> >internal lan should NOT allow incoming traffic to the internal lan
>
> I have seen diagrams like that, but they make me a bit nervous
> having only a single point of failure to compromise the internal
> network.
>
> But you are right in one respect. Maybe my drawing should have been
> something like this instead:
>
> Router/Firewall -- DMZ
> |
> Firewall ---- ADSL machine -- Router/Firewall -- ADSL
> |
> Internal Network
>
> My understanding of a DMZ is that it is usually one or more
> computers that are hardened and somewhat protected by a
> firewall or a router with ACL lists. I really didn't mean that the
> traffic from the internal network to the internet would pass through
> each computer in the DMZ. Just that the company firewall itself
> is in the DMZ.
>
> Also, in the message that started this, I had the impression that
> they actually have two internet connections. One through their
> ISP for general use and an ADSL connection for limited use.
>
> >yes... if they hack into the firewall you're hosed... but you're
> >hosed anyway if they get into any firewall... cause if they get into
> >one... they can probably get into the 2nd one that is also misconfigured???
>
> Probably. But hopefully by the time they get into one and find out
> there is another to ge through, they will have been discovered and
> actions will be started to keep them from going further.
>
> It is clear that the company LAN requires more serious protection
> than does the DMZ. Ideally, the computers in the DMZ should be
> hardened (it would take a real lunatics put a Windows 95 or 98
> computer there).
>
> In reality, the demands for protection of the DMZ are much different
> from the demands for protection of the internal network. If you use
> a firewall to protect the DMZ instead of ACLs on a router, why not
> use one that is tuned to the job. And for the internal firewall, use
> one tuned to that job.
>
> If you just use one firewall for both, there would seem to be a greater
> chance of misapplying the rules for one side to also apply to the
> other. It would be easy to accidentally permit incoming traffic on
> to the DMZ and the internal network when you really meant to just
> limit traffic to the DMZ.
>
> Of course, a large company might reasonably have a large number of
> firewalls with individual departments in the company firewalled from
> the rest of the company.
>
> Eric Johnson
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
