Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 23 Nov 2001 04:49:46 -0800
From:      Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
To:        cjclark@alum.mit.edu
Cc:        Fernando Germano <fgermano@audiotel.com.ar>, security@FreeBSD.ORG
Subject:   Re: Best security topology for FreeBSD 
Message-ID:  <200111231250.fANCoha19105@cwsys.cwsent.com>
In-Reply-To: Your message of "Thu, 22 Nov 2001 03:17:39 PST." <20011122031739.A226@gohan.cjclark.org> 

next in thread | previous in thread | raw e-mail | index | archive | help
In message <20011122031739.A226@gohan.cjclark.org>, "Crist J. Clark" writes:
> It is sad to see this poor design,
> 
>      Internet
>         |
>         |
>       Firewall--"DMZ"
>         |
>         |
>      Internal
> 
> Used so very, very much these days (I think thanks to several firewall
> vendors pushing this as a standard design).
> 
> A much better design, is
> 
>       Internet
>          |
>          |
>       Firewall1
>          |
>          |
>         DMZ
>          |
>          |
>       Firewall2
>          |
>          |
>       Internal
> 
> (This design is actually where the term "DMZ" comes from since it
> actually looks like one here.)

Given the capability of today's firewalls, packet filtering software 
and packet filtering capabilities within routers, I don't see what
the advantage of the second design would be in 2001.

Actually today (2001), the second design is quite dangerous.  Sure it 
protects your internal network, however it is more difficult to
contain compromised systems from being used as a launching point to 
elsewhere on the Internet.

If you want the additional protection of security through depth, try 
this:

       Internet
          |
          |
       Firewall1 -- DMZ
          |
          |
       Firewall2
          |
          |
       Internal

What does this give you?  Well, your DMZ can be easily configured to 
protect not only you but make it difficult to launch attacks from your 
DMZ.  The second firewall is a redundant firewall.  If you see any 
messages in the second firewall's logs, you might want to investigate 
a possible compromise of your first firewall.  Many organisations do 
this.  For example, firewall 1 could be a packet filtering router while 
firewall 2 could be firewall with various proxy services, e.g. IP 
Filter's FTP proxy, or a firewall with NAT capability.  Of course all 
of this depends on what you're trying to protect and how much you're 
willing to spend to protect whatever you're trying to protect.  For 
many applications one firewall should be enough.

Also, one could set up other firewalls within an internal network to 
control which hosts within your internal network have access to your
most sensitive data, e.g. your financial records.



Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team      Email:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD
Ministry of Management Services
Province of BC



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200111231250.fANCoha19105>