Hi list
I have a DMZ host that needs to talk to a bunch of internal systems, but it's a
different service to each machine, eg. ftp to the first, Port 3333 to the second and
so on...
To solve this, I created a rule like this:
DMZ-host -> List of internal machines -> list of needed services -> accept -> long
All is neatly packed into a single rule, but:
The security risk I see here is, that if the DMZ host is hacked, an attacker could do
ftp to all machines listed, not just to the one machine where it is really needed.
As far as I can see I'd have to have a rule for each internal host, but that would
blow up the rulebase enormously.
I'd be very grateful for any hints how this could be done differently.
Cheers
Ralf G.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
