Date: Tue, 27 Nov 2001 16:04:04 -0500 (EST) From: Chris BeHanna <behanna@zbzoom.net> To: <freebsd-security@freebsd.org> Subject: Re: Best security topology for FreeBSD Message-ID: <20011127160049.N57709-100000@topperwein.dyndns.org> In-Reply-To: <20011127054030.GB5828@shall.anarcat.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 27 Nov 2001, The Anarcat wrote: > The firewall wether it is single or dual, have the same functionality, > in the presence of a DMZ: > > (2 designs of dual fw): (and a single fw design): > > out out out > | | | > fw1 fw1----+ | > | | | | > dmz | dmz fw ---- dmz > | | | | > fw2 fw2----+ | > | | | > in in in > > In the second one, you setup a private line between the 2 fws to have > direct traffic let through unsniffable directly by the dmz. That is, ^^^^^^^^^^^ > even if you let direct traffic, where you might prefer having proxies > somewhere to avoid direct traffic. No, not unsniffable. If an attacker manages to install arp-spoof software on the DMZ, then he can easily mount a man-in-the-middle attack and reroute all the traffic between fw1 and fw2 through the DMZ. Even routers can be overcome. There's a good discussion about this kind of thing on the dsniff website. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011127160049.N57709-100000>