From owner-freebsd-security Thu Nov 22 12:29:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from csmail.commserv.ucsb.edu (cspdc.commserv.ucsb.edu [128.111.251.12]) by hub.freebsd.org (Postfix) with ESMTP id EFE4A37B417 for ; Thu, 22 Nov 2001 12:29:18 -0800 (PST) Received: from expertcity.com ([65.5.152.239]) by csmail.commserv.ucsb.edu (Netscape Messaging Server 3.62) with ESMTP id 419; Thu, 22 Nov 2001 12:29:16 -0800 Message-ID: <3BFD5FDE.171EA3A@expertcity.com> Date: Thu, 22 Nov 2001 12:28:14 -0800 From: Steve Francis X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: cjclark@alum.mit.edu Cc: Fernando Germano , security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD References: <00ca01c172aa$814c90d0$ed64a8c0@audi2k> <20011122031739.A226@gohan.cjclark.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Crist J. Clark" wrote: > A much better design, is > > Internet > | > | > Firewall1 > | > | > DMZ > | > | > Firewall2 > | > | > Internal > > (This design is actually where the term "DMZ" comes from since it > actually looks like one here.) > > And in your case... that many NICs in one machine... I hope you have a > dedicated stand-by. It's screaming "single point of failure." I would > really consider NOT using one machine for all of this. Of course, your design has even more single points of failure.... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message