From owner-freebsd-net@FreeBSD.ORG Wed Oct 3 13:50:24 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5158916A41A for ; Wed, 3 Oct 2007 13:50:24 +0000 (UTC) (envelope-from ericx@vineyard.net) Received: from vineyard.net (k1.vineyard.net [204.17.195.90]) by mx1.freebsd.org (Postfix) with ESMTP id 2D33E13C4BE for ; Wed, 3 Oct 2007 13:50:24 +0000 (UTC) (envelope-from ericx@vineyard.net) Received: from amavis-ace1 (a1.vineyard.net [204.17.195.95]) by vineyard.net (Postfix) with ESMTP id B7A3A9155C; Wed, 3 Oct 2007 09:31:44 -0400 (EDT) X-Virus-Scanned: by AMaViS-ace1 at Vineyard.NET Received: from smtp1.vineyard.net ([127.0.0.1]) by amavis-ace1 (ace1.vineyard.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id wMYeHisBurzA; Wed, 3 Oct 2007 09:31:44 -0400 (EDT) Received: from [204.17.195.104] (fortiva.vineyard.net [204.17.195.104]) by smtp1.vineyard.net (Postfix) with ESMTP id 6DAFC158180A; Wed, 3 Oct 2007 09:31:44 -0400 (EDT) Message-ID: <4703997A.3070206@vineyard.net> Date: Wed, 03 Oct 2007 09:30:34 -0400 From: "Eric W. Bates" User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: Stephen.Clark@seclark.us References: <47038673.9020403@seclark.us> In-Reply-To: <47038673.9020403@seclark.us> X-Enigmail-Version: 0.95.3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: are DMZ's out of vogue X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Oct 2007 13:50:24 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Clark wrote: > Hi List, > > Our in house network configuration is using FreeBSD for our firewall. We > currently have it setup with > 3 interfaces a public, private and DMZ. We our moving to a new facility > and our network engineer > says nobody is using DMZs any more and wants to just do NAT redirects > from our FreeBSD firewall > to servers on the private network. These servers were on the DMZ in our > current configuration. > > Does this make sense? Is it true that DMZ's have fallen out of vogue? I don't think they are out of vogue. But we usually use 2 firewalls. One to separate the DMZ from the Internet (usually the cisco with dynamic rules), and a second behind the DMZ (usually a FreeBSD box) before you get to the juicy stuff. By definition, you don't completely trust the machines in the DMZ. Because you are inviting the public to poke at ports 25, 80, 143, et al. on those machines you have to assume they will be exploited at any moment; so you separate them from your safe world as much as possible. > Sorry for the off topic post. > > Thanks for any input, > Steve > - -- Eric W. Bates ericx@vineyard.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHA5l6D1roJTQ4LlERAubkAJ0YggFHNwhznUw7ce1f3rOacJ0QugCggBwC ms+SveSUqeUkOKggjxRNU7U= =C3Qv -----END PGP SIGNATURE-----