In a message dated: Tue, 15 Aug 2000 18:32:35 EDT
"Dave Nichols" said:
>Folks,
>
>Just a question coming out of some work I'm doing today. I was always
>taught a double Firewall surrounded a TRUE DMZ (one in front, one in back).
>
>I see more and more people representing DMZ's coming off a SINGLE firewall,
>the same one which protects the corporate jewels... and implementing the
>differences in rules differences only...
>
>Of course, my current employer (who shall remain nameless but is a large
>network vendor) always shows a single firewall...
>
>What do y'all think?
My answer will slightly shorter than Derek's :)
In short, I think it completely depends upon several factors:
1. What you're comfortable with
2. What you're budget is
3. What is best for your particular situation
4. What you want to support
O'Reilly has an excellent book on the subject, Building Internet Firewalls,
which describes all types of firewall configurations; using both commercial
products, homegrown solutions, and a mix.
(Unfortunately is a little dated, since it doesn't include anything wrt
Linux/*BSD, but the principles are the same.)
Also, wrt your employer, vendors like to show pictures which represent
relative simplicity. Their sales pitch is going to state that the one box is
the functional equivalent of 2, and does a lot more in the way of providing
for easy maintenance, total flexibility, etc., and it costs less than the 2
box system. This is all to get the middle-manager to accept the ridiculous
price of this one box which is likely *way* out proportion with reality,
since with Linux, *BSD, or even a commerical Unix box, one could create a
reasonably secure DMZ/Firewall configuration for significantly less than this
one box solution. Of course the tradeoff is time and expertise, which one may
or may not have in house.
(how am I doing? Is this still shorter than Derek's response :)
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
