Re: Personal Firewalls

Eric Johnson Thu, 12 Jul 2001 19:09:56 -0700
At 09:11 PM 7/12/2001 -0500, Ron DuFresne wrote:

>Why does everyone want to put up another firewall all the time, must be
>catch-phrase time in security.  As we mentioned, this does not require
>another FW unless I misread something here, harden the exposed host and
>only allow the inside to connect out to it.  It's main purpose is to
>gather stuff from an insecure net, and transfer that data inside.  It is
>hardened only to make it more dificult to comprmise and thus reduce time
>required to fix.

If a couple of hundred dollars of equipment help keep the attacks
from succeeding, it's money well spent.  It cost a hell of a lot
more to deal with the attack afterwards.

>How many admins that work on inside networks actually know how to install
>even a semi-hardened server these days?  Afterall, most incidents happen
>behind the firewall...

Exactly.  That's why it can be a good idea in a large company to use
internal firewalls between internal departments or groups of departments
within the company.

There is a problem in this case, though.  If I understand it correctly,
they have two internet connections.  They have the main internet
connection for general use and they have a separate ADSL for limited
use by the one person.

So, putting that computer in the DMZ doesn't seem to make much
sense.  I guess you could do something like this:

    Internet
        |
DMZ Router/    --- ADSL
    Firewall
        |
      DMZ (including ADSL machine)
        |
    Firewall
        |
     Internal Network

or using Mr. Oga's version:

     internet        ADSL
        |                |
        |                |
adsl router/firewall  ( hardware version ? )
        |
  f i r e w a l l   ( ipchians etc )
   |           |
  dmz       internal lan
192.168.x  10.0.1.x

And, of course, the routing could get a bit more interesting
since the routing would depend on which machine in the
DMZ is the source.  If the source is the web server, mail
server, dns server, ..., it would go out over the general
internet connection.  If the source is the machine used
with the ADSL, it's traffic should go out over the ADSL
connection.  He did say that the ADSL connection was not
to be shared with others by his subscription agreement.

Or am I wrong in thinking that there are two
internet connections under consideration?

Eric Johnson 

_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
Re: Personal Firewalls

Reply via email to
