From owner-freebsd-security  Sat Nov 24 18:25: 6 2001
Delivered-To: freebsd-security@freebsd.org
Received: from home.24cl.com (121.113.sn.ct.dsl.thebiz.net [216.238.113.121])
	by hub.freebsd.org (Postfix) with ESMTP id 8586937B405
	for <security@FreeBSD.ORG>; Sat, 24 Nov 2001 18:24:59 -0800 (PST)
Received: from bloat (unknown [192.168.0.33])
	by home.24cl.com (Postfix) with ESMTP
	id CD4B281E22; Sat, 24 Nov 2001 21:24:56 -0500 (EST)
Message-ID: <200111242124560932.023F3386@home.24cl.com>
In-Reply-To: <20011125013812.9839.qmail@web10106.mail.yahoo.com>
References: <20011125013812.9839.qmail@web10106.mail.yahoo.com>
X-Mailer: Calypso Version 3.20.01.01 (4)
Date: Sat, 24 Nov 2001 21:24:56 -0500
Reply-To: myraq@mgm51.com
From: "MikeM" <MyRaQ@mgm51.com>
To: "G Brehm" <gbbrehm@yahoo.com>, cjclark@alum.mit.edu
Cc: security@FreeBSD.ORG
Subject: Re: Best security topology for FreeBSD
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On 11/24/2001 at 5:38 PM G Brehm wrote:

|> 
|> It is sad to see this poor design,
|> 
|>      Internet
|>         |
|>         |
|>       Firewall--"DMZ"
|>         |
|>         |
|>      Internal
|> 
|> Used so very, very much these days (I think thanks
|> to several firewall
|> vendors pushing this as a standard design).
|> 
|> A much better design, is
|> 
|>       Internet
|>          |
|>          |
|>       Firewall1
|>          |
|>          |
|>         DMZ
|>          |
|>          |
|>       Firewall2
|>          |
|>          |
|>       Internal
|> 
|> (This design is actually where the term "DMZ" comes
|> from since it
|> actually looks like one here.)
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D



I'm not sure I agree with your comments.   Yes, your architecture is more=
 akin to the origin of the term "DMZ", but is that the real functionality=
 that we want to provide?  Should we be more concerned with staying within=
 the strict definition of the military term "DMZ" or should our firewalls=
 provide the needed function?


In my "DMX", the server only sees port 80 traffic.  *only port 80*  I=
 cannot possibly provide that functionality with your strict interpretation=
 of a DMZ firewall.    Given the options of tossing aside your strict=
 definition of DMZ of re-architecturing my firewall, I think I'd vote for=
 tossing aside your definition.






To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message