Re: Defense in Depth

From: Kenneth R Swain II (ken_at_kenswain.com)
Date: 10/27/04

  • Next message: Rodrigo Fraga: "Re: VPN in debian: L2TP/IPSec? PPTP? ...?" 
    Date: Wed, 27 Oct 2004 12:27:58 -0400
To: Ronish Mehta <sf_mail_sbm@yahoo.com>

    Let me see if I can clear something up.

    ----------
    | |
    | | Internet facing firewall
    ---------

    DMZ

    ----------
    | |
    | | Internal firewall
    ---------

    As you can see the DMZ is the area in between the two firewalls. You
    really do not want any servers receiving service requests on your most
    protected side(behind the internal firewall). You are doing the right
    thing by keeping them where they are.

    Defense in depth is something that takes layers. You have take one of
    the steps with separating what is receiving requests from the internet
    from your LAN. You now need to finish out the package. You need AV,
    patch management, host based IDS, Network IDS, and auditing just to
    name a few. Defense in depth is hard to achieve for a home user since
    it means computers that are dedicated to things like IDS. Once you have
    these in place you also need configure and tune them. There is no magic
    bullet and it will take some work. Good luck.

    -Ken

    On Oct 27, 2004, at 3:33 AM, Ronish Mehta wrote:

    >
    > Hi List,
    >
    > I have a network setup with 2 firewalls
    >
    > There is a DMZ on the Internet facing firewall
    >
    > The servers on this DMZ contains servers that host
    > both "http" and "https" pages
    >
    > There are no DMZ on the second firewall
    >
    > From what I understand, this setup is not providing
    > defense in depth, at least not full defense in depth
    >
    > I wanted to create a DMZ on the second firewall, and
    > move servers that host "HTTPS" pages to this new DMZ
    >
    > Would this new setup improve the security of the
    > network?
    >
    > Thanks for comments,
    >
    > Ronish
    >
    >
    >
    >
    > __________________________________
    > Do you Yahoo!?
    > Yahoo! Mail - You care about security. So do we.
    > http://promotions.yahoo.com/new_mail
    >
    Ken Swain
    mail: ken@kenswain.com
    im: aim:krswain190
    web: kenswain.com
    "/dev/geek"

  • Next message: Rodrigo Fraga: "Re: VPN in debian: L2TP/IPSec? PPTP? ...?"

    Relevant Pages

    • Re: External Firewall with SBS 2003
      ... 2004 and twin NICs for my setup. ... appliance running pfSense and are in the process of setting-up a true DMZ ... The Firewall Appliance should have TWO private networks, ...
      (microsoft.public.windows.server.sbs)
    • Ang: RE: Firewall and DMZ topology
      ... Network Engineer ... Subject: Firewall and DMZ topology ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • RE: Firewall and DMZ topology
      ... Subject: Firewall and DMZ topology ... Should the DMZ be behind the LAN and not split off at the firewall, ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • Re: Advice on a firewall distro
      ... ZyWALL unless they were intended for one of the servers (in the DMZ of the ... linux firewall). ... Setup the firewall to do stateful packet inspection. ...
      (comp.os.linux.networking)
    • RE: Firewall and DMZ topology
      ... Subject: Firewall and DMZ topology ... Also, when I say firewall, I mean Router + Firewall. ... Should the DMZ be behind the LAN and not split off at the firewall, ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)