Re: [FW1] Rule design question

Wed, 09 Aug 2000 05:48:47 -0700 


Ralf,

You are correct. Your rulebase wants to be very specific
and not include unwanted results, because a more
generic rule was in place. You seemed conecerned about
how your rulebase looks. You should be concerned over
how it acts. What's your definition of enormous?

Now for the communications between your 'DMZ' and
internal net. Anytime you allow this, your risk is increased.
By how much depends on how it's designed. I would
gather all of the documention about which systems
need to talk with which and how. Then start weighing
the pros and cons of different designs

Many sites would like the system(s) in the 'DMZ' to
initiate the connection to the internal based upon some
event on the system(s) in the 'DMZ'. This is where you
get to choose among evils.

I would have it so the internal system(s) must contact
the external. This only buys you a little more security,
but stops the 'DMZ' systems(that may have been
attacked) from directly accessing the internal systems
at will.

You might want to look into reverse proxying, strong
authentication and encryption to your external systems.
This would be ugly if you have many customers
accessing your site.

Best of Luck!
Robert

- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n   F o o d    S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]

>>> "Ralf G�nthner" <[EMAIL PROTECTED]> 8/9/00 5:13:31 AM >>>
>
>Hi list
>
>I have a DMZ host that needs to talk to a bunch of internal systems, but it's a 
>different service to each 
>machine, eg. ftp to the first, Port 3333 to the second and so on... 
>
>To solve this, I created a rule like this:
>
>DMZ-host -> List of internal machines -> list of needed services -> accept -> long
>
>All is neatly packed into a single rule, but:
>
>The security risk I see here is, that if the DMZ host is hacked, an attacker could do 
>ftp to all machines 
>listed, not just to the one machine where it is really needed.
>
>As far as I can see I'd have to have a rule for each internal host, but that would 
>blow up the rulebase 
>enormously. 
>
>I'd be very grateful for any hints how this could be done differently.
>
>Cheers
>Ralf G.




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to