Date: Sun, 4 Mar 2001 14:06:07 -0500 From: Chris <security@kingsqueak.org> To: questions@FreeBSD.ORG Subject: Re: FreeBSD Firewall vs. Black Ice Message-ID: <20010304140606.A76465@daemon.kingsqueak.org> In-Reply-To: <15010.26348.659989.455852@guru.mired.org>; from mwm@mired.org on Sun, Mar 04, 2001 at 10:01:48AM -0600 References: <8738640@toto.iv> <15010.26348.659989.455852@guru.mired.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Why two seperate firewalls, some guy on securityportal just wrote this horrid 'howto' on firewall 'placement' that made this mistake as well. His actually showed diagrams that recommended proxying all internal traffic through a webserver before it hit another firewall and got out...a DMZ server no less... you have to see the diagram to get it. Too funny. Unless traffic is so high it will crush the CPU of the fw box, there is no reason to not simply segment the network and add ruleset groups. Add a third nic to make one external, one DMZ net, and one internal. This actually makes it simpler to manage the DMZ rules anyway. If anything if the traffic is sufficiently high, stick a bridge device fw 'outside' everything to do any screening that would apply to all of the nets 'inside'. Good place for an IDS box as well. I don't mean this as an attack on your opinion, just that I've seen so much lately of the 'put another server here, put another one over there...' personally I want the least amount management that I have to do and still maintain as much fault tolerance as needed. Another aside, if this was all in reference to a high availability e-commerce site, you will of course need full redundancy and fault tolerance. Most of the recommendations I keep seeing for multiple physical fw's are for small LAN applications of a couple hundred users, if a PC dies, it really isn't that big of a deal to either fix it or replace it where an hour 'down' won't really hurt that much. It's not pleasant, but hardly the same impact as closing the doors on a commerce site. Back to my coffee * Mike Meyer <mwm@mired.org> [010304 11:05]: > Ted Mittelstaedt <tedm@toybox.placo.com> types: > > Where firewalling gets costly, as in sucking up your time or paying someone > > else, is when you want to have your cake and eat it too - ie: you want to be > > protected, but you also want to offer services or do different things, and > > you also want the firewall to be invisible to you, from the inside. > > This is why you run two firewalls. One does little more than your > basic $100 Linksys box, and sits between your internal network and the > rest of the world. Your service boxes sit outside of it, in the > dmz. The second firewall sits between those and the internet > proper. No connections go from the outside world to the internal > network (and very little from the dmz to the internal network). You > then set the world up so that the service boxes are *generated* from > data on the internal box. Not backed up, but built. When one of the > goats gets compromised, you close the hole in the build data, install > a new OS and rebuilt from the internal data. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010304140606.A76465>