Date: Sat, 24 Nov 2001 21:24:56 -0500 From: "MikeM" <MyRaQ@mgm51.com> To: "G Brehm" <gbbrehm@yahoo.com>, cjclark@alum.mit.edu Cc: security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Message-ID: <200111242124560932.023F3386@home.24cl.com> In-Reply-To: <20011125013812.9839.qmail@web10106.mail.yahoo.com> References: <20011125013812.9839.qmail@web10106.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/24/2001 at 5:38 PM G Brehm wrote: |> |> It is sad to see this poor design, |> |> Internet |> | |> | |> Firewall--"DMZ" |> | |> | |> Internal |> |> Used so very, very much these days (I think thanks |> to several firewall |> vendors pushing this as a standard design). |> |> A much better design, is |> |> Internet |> | |> | |> Firewall1 |> | |> | |> DMZ |> | |> | |> Firewall2 |> | |> | |> Internal |> |> (This design is actually where the term "DMZ" comes |> from since it |> actually looks like one here.) ============= I'm not sure I agree with your comments. Yes, your architecture is more akin to the origin of the term "DMZ", but is that the real functionality that we want to provide? Should we be more concerned with staying within the strict definition of the military term "DMZ" or should our firewalls provide the needed function? In my "DMX", the server only sees port 80 traffic. *only port 80* I cannot possibly provide that functionality with your strict interpretation of a DMZ firewall. Given the options of tossing aside your strict definition of DMZ of re-architecturing my firewall, I think I'd vote for tossing aside your definition. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200111242124560932.023F3386>