> Hi list
>
> I have a DMZ host that needs to talk to a bunch of internal systems, but
it's a different service to each machine, eg. ftp to the first, Port 3333 to
the second and so on...
>
> To solve this, I created a rule like this:
>
> DMZ-host -> List of internal machines -> list of needed services ->
accept -> long
>
> All is neatly packed into a single rule, but:
>
> The security risk I see here is, that if the DMZ host is hacked, an
attacker could do ftp to all machines listed, not just to the one machine
where it is really needed.
>
> As far as I can see I'd have to have a rule for each internal host, but
that would blow up the rulebase enormously.
Yes, as far as I can see those are the only options available. I think you
can use your single neat rule, ONLY IF you can make sure that the internal
machines have all unnecessary - not used by the host on the DMZ - services
disabled, but that should not be your case anyway.
So consider having a longer rulebase.
Regards,
F�bio.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
