From owner-freebsd-security Fri Nov 23 4:52:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 3F53037B416 for ; Fri, 23 Nov 2001 04:52:42 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id EAA12381; Fri, 23 Nov 2001 04:51:56 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda12379; Fri Nov 23 04:51:48 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id fANCphT44859; Fri, 23 Nov 2001 04:51:43 -0800 (PST) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpda44853; Fri Nov 23 04:50:44 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id fANCoha19105; Fri, 23 Nov 2001 04:50:43 -0800 (PST) Message-Id: <200111231250.fANCoha19105@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdR15157; Fri Nov 23 04:49:46 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: cjclark@alum.mit.edu Cc: Fernando Germano , security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD In-reply-to: Your message of "Thu, 22 Nov 2001 03:17:39 PST." <20011122031739.A226@gohan.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 23 Nov 2001 04:49:46 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20011122031739.A226@gohan.cjclark.org>, "Crist J. Clark" writes: > It is sad to see this poor design, > > Internet > | > | > Firewall--"DMZ" > | > | > Internal > > Used so very, very much these days (I think thanks to several firewall > vendors pushing this as a standard design). > > A much better design, is > > Internet > | > | > Firewall1 > | > | > DMZ > | > | > Firewall2 > | > | > Internal > > (This design is actually where the term "DMZ" comes from since it > actually looks like one here.) Given the capability of today's firewalls, packet filtering software and packet filtering capabilities within routers, I don't see what the advantage of the second design would be in 2001. Actually today (2001), the second design is quite dangerous. Sure it protects your internal network, however it is more difficult to contain compromised systems from being used as a launching point to elsewhere on the Internet. If you want the additional protection of security through depth, try this: Internet | | Firewall1 -- DMZ | | Firewall2 | | Internal What does this give you? Well, your DMZ can be easily configured to protect not only you but make it difficult to launch attacks from your DMZ. The second firewall is a redundant firewall. If you see any messages in the second firewall's logs, you might want to investigate a possible compromise of your first firewall. Many organisations do this. For example, firewall 1 could be a packet filtering router while firewall 2 could be firewall with various proxy services, e.g. IP Filter's FTP proxy, or a firewall with NAT capability. Of course all of this depends on what you're trying to protect and how much you're willing to spend to protect whatever you're trying to protect. For many applications one firewall should be enough. Also, one could set up other firewalls within an internal network to control which hosts within your internal network have access to your most sensitive data, e.g. your financial records. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message