Date: Sat, 24 Nov 2001 21:24:56 -0500 From: "MikeM" <MyRaQ@mgm51.com> To: "G Brehm" <gbbrehm@yahoo.com>, cjclark@alum.mit.edu Cc: security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Message-ID: <200111242124560932.023F3386@home.24cl.com> In-Reply-To: <20011125013812.9839.qmail@web10106.mail.yahoo.com> References: <20011125013812.9839.qmail@web10106.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/24/2001 at 5:38 PM G Brehm wrote: |> |> It is sad to see this poor design, |> |> Internet |> | |> | |> Firewall--"DMZ" |> | |> | |> Internal |> |> Used so very, very much these days (I think thanks |> to several firewall |> vendors pushing this as a standard design). |> |> A much better design, is |> |> Internet |> | |> | |> Firewall1 |> | |> | |> DMZ |> | |> | |> Firewall2 |> | |> | |> Internal |> |> (This design is actually where the term "DMZ" comes |> from since it |> actually looks like one here.) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D I'm not sure I agree with your comments. Yes, your architecture is more= akin to the origin of the term "DMZ", but is that the real functionality= that we want to provide? Should we be more concerned with staying within= the strict definition of the military term "DMZ" or should our firewalls= provide the needed function? In my "DMX", the server only sees port 80 traffic. *only port 80* I= cannot possibly provide that functionality with your strict interpretation= of a DMZ firewall. Given the options of tossing aside your strict= definition of DMZ of re-architecturing my firewall, I think I'd vote for= tossing aside your definition. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200111242124560932.023F3386>