RE: DMZ Design
From: Daniel Miessler (danielrm26@hotmail.com)Date: 07/18/02
- Previous message: Ogden, Earl: "RE: Sizing a Firewall for a client"
- In reply to: joe macdonald: "DMZ Design"
- Next in thread: Joe: "RE: DMZ Design"
- Reply: Joe: "RE: DMZ Design"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Daniel Miessler" <danielrm26@hotmail.com> To: "'joe macdonald'" <joe_macdonald25@yahoo.com>, <security-basics@securityfocus.com> Date: Thu, 18 Jul 2002 16:36:23 -0400
I recommend you check out this thread in the DSLR security forum:
http://www.dslreports.com/forum/remark,3811047~root=security,1~mode=flat
#3811047
If you have any questions after viewing that, let me know. In short
though, I suggest not using public IP's for your DMZ and/or Intranet.
If you are using Linux's 2.4 kernel and IPTABLES you can easily
implement NAT and have private address ranges for those networks. This
way, NAT stops all incoming requests from your DMZ to your internal
network just as it stops all incoming requests from the Internet to your
DMZ.
They key is having to specifically allow those connections in, which is
favorable to having them going by default. When you combine this with
solid packet filtering you are heading down the right path.
I strongly suggest Astaro for you also. The sheer number of features in
that product is mind boggling.
Again, let me know if you have any other questions. I will try to help
if I can.
- Previous message: Ogden, Earl: "RE: Sizing a Firewall for a client"
- In reply to: joe macdonald: "DMZ Design"
- Next in thread: Joe: "RE: DMZ Design"
- Reply: Joe: "RE: DMZ Design"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
