Todd, I agree you should not rely exclusively on a firewall. However, if I place two nics in a machine, I can effectively by pass the firewall and eliminating this layer of protection. Hard and crunchy on the inside or not, they still have access to your internal network without going through the firewall if you straddle the firewall with a machine with two nics.
I agree with all your points about making sure the inside machines are hardened as much as possible. Denny At 10:06 AM 2/15/2002 -0800, Todd Suiter wrote: >No, you make your internal network hard and crunchy on the inside as >welll. This >is a comoon problem I've seen in MANY places. 'Oh, we have firewall, we're >fine!". No. If you don't go to the trouble of securing your internal >network and >hosts, what good is the security you've done on the outside? All it takes >is one bad CGI for your pants to be at your ankles. > >You have several good options for adding additional layers of security, on top >of just a firewall. Harden the host(patches, removal of services,etc), ACLs >on your switchen to allow and disallow certain types of traffic, run an IDS >or 2, run some form of HIDS, LOOK at your machines on a regular basis(this one >gets missed a lot). And many more. Most of which fall into the 'best >practices' that so few actually seem to follow. Things like peer code >review for new >cgi apps, research on patches that you are applying, staging your work with >a prod/stage/dev network, etc. > >t > > >On Thu, 14 Feb 2002, Dennis Depp wrote: > > > But if the box is compromised, so is your internal network! ;( > > > > Denny > > > > At 06:30 PM 2/12/2002 +0000, James McGee wrote: > > >The last place I worked at had a great method... > > > > > >Put an addition NIC in them, that way you can keep it separate you can > also > > >use this for the admin of the site. In addition, this ensure that backups > > >do not interfere with network to utilisation to and from the servers! > > > > > >Ensure that the servers will not forward packets. > > > > > > > > >----- Original Message ----- > > >From: "Sean Richardson" <[EMAIL PROTECTED]> > > >To: <[EMAIL PROTECTED]> > > >Sent: Monday, February 11, 2002 6:43 PM > > >Subject: Backup for win2k boxes in the DMZ > > > > > > > > >Looking for opinions on the best method to back up Win2K web servers in a > > >DMZ from a single server with a DLT drive. It seams that most backup > > >programs need netbios enabled in order to backup remote machines and would > > >much rather not have this enabled even though it would be blocked at the > > >firewall. Thanks! > > > > > > > > > > > > > > > > > > > > >--- > > >Outgoing mail is certified Virus Free. > > >Checked by AVG anti-virus system (http://www.grisoft.com). > > >Version: 6.0.323 / Virus Database: 180 - Release Date: 08/02/2002 > > > >
