Date: Sat, 24 Nov 2001 22:36:03 -0800 From: "Crist J. Clark" <cristjc@earthlink.net> To: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> Cc: security@FreeBSD.ORG Subject: Re: Firewall design [was: Re: Best security topology for FreeBSD] Message-ID: <20011124223603.A228@gohan.cjclark.org> In-Reply-To: <Pine.BSF.4.21.0111222046180.636-100000@lhotse.zaraska.dhs.org>; from kzaraska@student.uci.agh.edu.pl on Thu, Nov 22, 2001 at 08:55:30PM %2B0100 References: <20011122031739.A226@gohan.cjclark.org> <Pine.BSF.4.21.0111222046180.636-100000@lhotse.zaraska.dhs.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 22, 2001 at 08:55:30PM +0100, Krzysztof Zaraska wrote: > On Thu, 22 Nov 2001, Crist J. Clark wrote: > > <snip> > > It is sad to see this poor design, > > > > Internet > > | > > | > > Firewall--"DMZ" > > | > > | > > Internal > > > > Used so very, very much these days (I think thanks to several firewall > > vendors pushing this as a standard design). > > > > A much better design, is > > > > Internet > > | > > | > > Firewall1 > > | > > | > > DMZ > > | > > | > > Firewall2 > > | > > | > > Internal > > > > (This design is actually where the term "DMZ" comes from since it > > actually looks like one here.) > > Could you please explain why the second design is better? The fundamental security concept: defense in depth. In the first design, there is only a single layer of security between any of your networks and the hostile network. In the second, you have an additional layer of security for internal network. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011124223603.A228>