Re: Firewall design [was: Re: Best security topology for FreeBSD]

From: Giorgos Keramidas (charon@labs.gr)
Date: 11/23/01 

Date: Fri, 23 Nov 2001 12:28:09 +0200
From: Giorgos Keramidas <charon@labs.gr>
To: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>

[ ascii art reordering to cut a few lines of text ]

Internet --- firewall --- internal
                 |
                DMZ
------------------------------------------------------------

Internet --- firewall1 --- DMZ --- firewall2 --- internal

------------------------------------------------------------

On 2001-11-22 20:55:30, Krzysztof Zaraska wrote:
> Could you please explain why the second design is better? I know it's
> harder to properly construct the correct ruleset for the first topology,
> but what are other problems?

Two levels of firewall; one more barrier for intruders. If the same
machine is used for the DMZ and internal firewall, and it is
compromised, then both the DMZ and internal networks are wide open.

This however is useless if you use exactly the same hardware/software
both for the `external' and `internal' machines and still have two
separate machines for the two firewalls. The same exploits/bugs that
will let someone in at the external firewall, will let him break the
internal firewall when the DMZ has been compromised.

But by now we are deep into the paranoia territory :)

-giorgos

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • iptables port forwarding fails when adding third NIC (r8169) Kernel: 2.6.17-1.2174_fC5
    ... running iptables that acts as my firewall (responding to multiple IP ... machines in the private network. ... I want to add a dmz. ... I bring the server down, take out the card, start the server, put the ...
    (comp.os.linux.networking)
  • Re: Firewall and Mailserver questions - suggestions wanted.
    ... > I am thinking of getting two firewalls, and having a DMZ ... minimum installed on the outer firewall -- that's what they ... anything that requires user logins should be on an "insecure" ... and secure machines disallow all logins except ...
    (Debian-User)
  • Re: Best security topology for FreeBSD
    ... > letting packet X through, because X matches the rules on both that say the ... But a single firewall design is also vulnerable to this attack. ... The flip side of this is that the machines furthest to ... >>> secure than the two firewall option with the DMZ in the middle. ...
    (FreeBSD-Security)
  • Re: Outbound ports
    ... > the resource need) (or inbound for the DMZ). ... For a real network firewall, you are correct, it's a good idea to ... all applications installed on all user machines... ... I have a management machine which pings all servers ...
    (comp.security.firewalls)
  • Re: Best security topology for FreeBSD
    ... But a single firewall design is also vulnerable to this attack. ... The DMZ can exist as machines plugged into the same ethernet hub/switch as ... rest of the network after the compromise will be minimal. ...
    (FreeBSD-Security)