Yesterday, Dave Nichols gleaned this insight:
> Folks,
>
> Just a question coming out of some work I'm doing today. I was always
> taught a double Firewall surrounded a TRUE DMZ (one in front, one in back).
>
> I see more and more people representing DMZ's coming off a SINGLE firewall,
> the same one which protects the corporate jewels... and implementing the
> differences in rules differences only...
>
> Of course, my current employer (who shall remain nameless but is a large
> network vendor) always shows a single firewall...
>
> What do y'all think?
Lemme guess: Could it be... Cisco? (no I'm not Church-Lady)
In practice, there's very little difference between this:
EXTERNAL ------- DMZ -------- Internal Network
-----------+ FW1 +-----+ FW2 +-----------------
------- --------
And this:
|
| external
|
+--+--+
| | DMZ
| FW1 +------------
| |
+--+--+
|
| internal network
|
Cisco likes to draw the bottom one... In both cases, there's a firewall
between the DMZ and the external network, there's a firewall between the
DMZ and the private network, and there is at least one firewall between
the internal network and the external network.
You can argue that with two firewalls between internal and external,
you've doubled your protection; but it's easy to refute that. For
example, many times the two FW are the same type of machine with the same
software, so if you can compromise one, you can compromise the other just
as easily (in theory). Also often the internal firewall is less
locked-down than the external one, since you might be inclined to leave
certain holes in the internal one to allow machines in the DMZ to
communicate necessary data to internal hosts.
You can argue back and forth and create various scenarios that will
improve security (such as dual firewalls of differing types with different
forms of authentication required to get through) or detract from it. The
bottom line is cost: You can improve security only so much, but the cost
can increase almost limitlessly. When you look at the cost of going with
two as compared to the amount of security you've gained (don't forget the
cost of educating your staff and of paying them to maintain both), most
often you'll find that it's not worth the extra cost, unless you're
working for one of those few Deep-Pockets companies, like Microsoft (do
they know anything about security?) or IBM or such.
Hey I used to work for a Dave Nichols (er, well, sort of) at a medical
company based in the area... that's not you is it? I'm nearly positive
you aren't him, but I gotta ask. :)
--
You know that everytime I try to go where I really want to be,
It's already where I am, cuz I'm already there...
---------------------------------------------------------------
Derek D. Martin | Unix/Linux Geek
[EMAIL PROTECTED] | [EMAIL PROTECTED]
---------------------------------------------------------------
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
