From owner-freebsd-security  Fri Nov 23  4:23: 6 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5])
	by hub.freebsd.org (Postfix) with ESMTP id 3FDAA37B41B
	for <security@FreeBSD.ORG>; Fri, 23 Nov 2001 04:22:54 -0800 (PST)
Received: from hades.hell.gr (patr530-b206.otenet.gr [212.205.244.214])
	by mailsrv.otenet.gr (8.11.5/8.11.5) with ESMTP id fANCMnY06545;
	Fri, 23 Nov 2001 14:22:49 +0200 (EET)
Received: (from charon@localhost)
	by hades.hell.gr (8.11.6/8.11.6) id fANAS9S09853;
	Fri, 23 Nov 2001 12:28:09 +0200 (EET)
	(envelope-from charon@labs.gr)
Date: Fri, 23 Nov 2001 12:28:09 +0200
From: Giorgos Keramidas <charon@labs.gr>
To: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
Cc: security@FreeBSD.ORG
Subject: Re: Firewall design [was: Re: Best security topology for FreeBSD]
Message-ID: <20011123102809.GA9743@hades.hell.gr>
References: <20011122031739.A226@gohan.cjclark.org> <Pine.BSF.4.21.0111222046180.636-100000@lhotse.zaraska.dhs.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.BSF.4.21.0111222046180.636-100000@lhotse.zaraska.dhs.org>
User-Agent: Mutt/1.3.23.1i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

[ ascii art reordering to cut a few lines of text ]

Internet --- firewall --- internal
                 |
                DMZ
------------------------------------------------------------

Internet --- firewall1 --- DMZ --- firewall2 --- internal

------------------------------------------------------------

On 2001-11-22 20:55:30, Krzysztof Zaraska wrote:
> Could you please explain why the second design is better? I know it's
> harder to properly construct the correct ruleset for the first topology,
> but what are other problems?

Two levels of firewall; one more barrier for intruders.  If the same
machine is used for the DMZ and internal firewall, and it is
compromised, then both the DMZ and internal networks are wide open.

This however is useless if you use exactly the same hardware/software
both for the `external' and `internal' machines and still have two
separate machines for the two firewalls.  The same exploits/bugs that
will let someone in at the external firewall, will let him break the
internal firewall when the DMZ has been compromised.

But by now we are deep into the paranoia territory :)

-giorgos


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message