I agree, a single tri-homed firewall sounds too risky by itself.
I like this config [router]---[Outer firewall/IDS]---[DMZ]---[Inner firewall/IDS(optional but recommended or HIDS on the LAN)]---[LAN] -----Original Message----- From: Depp, Dennis M. [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 10, 2003 11:41 AM To: Chris Berry; [EMAIL PROTECTED] Subject: RE: Firewall and DMZ topology I'm not sure how a tri-homed firewall can be just as secure as a two firewall setup. Consider this: Hacker is able to penetrate your firewall and "owns" the box. In a tri-homed firewall, they now have direct access to your internal network. If this had been a two firewall setup, they would have to compromise the second box as well. While this may not be an issue as they were already sucessful in owning one firewall, hopefully you have your intrusion detection system tuned to a greater degree of sensativity in your DMZ. And you will be able to discover this second attempt. I do think tri-homed firewalls are a good solution, but they are not as secure as a two firewall solution. Dennis Depp --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
