RE: Proxy & Firewall Implementation
From: David Gillett (gillettdavid_at_fhda.edu)
Date: 01/13/05
- Previous message: Jason Workman: "RE: SOX compliance and assessment"
- In reply to: John: "Proxy & Firewall Implementation"
- Next in thread: Conlan Adams: "RE: Proxy & Firewall Implementation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'John'" <naverxp@yahoo.com.sg>, <security-basics@securityfocus.com> Date: Thu, 13 Jan 2005 14:16:00 -0800
There's no question that you need at least one firewall filtering
traffic between your internal network and the outside world. Your
DMZ servers accept connections from that outside world, so you want
filtering between them and the inside network, too. But they shouldn't
accept every and all connections from the outside. There are three
basic ways to do this:
1. Put a firewall between your internal network and the DMZ which allows
session origination only from the trusted internal network. Put another
firewall between the DMZ and the outside, which allows session origination
from the inside and DMZ, and much more limited from the outside into just
the DMZ.
2. Put a firewall between your internal network and the DMZ which allows
session origination only from the trusted internal network. Harden your
DMZ servers ("bastion servers") to the gills.
3. Put your internal network, DMZ, and the Internet on three (or more)
interfaces of a firewall with appropriate filtering rules for traffic
between
these zones.
Option #1 can be the most secure, but at the price of a second firewall,
more complicated management (especially if the firewalls are of different
types or vendors), and probably some performance overhead.
Option #2 can be inexpensive, and provides the best possible performance.
Option #3 offers a good trade-off between price, performance, protection,
and manageability.
The relative priority of these four criteria vary from one organization to
the next. One size does not fit all.
David Gillett
> -----Original Message-----
> From: John [mailto:naverxp@yahoo.com.sg]
> Sent: Wednesday, January 12, 2005 5:04 PM
> To: security-basics@securityfocus.com
> Subject: Proxy & Firewall Implementation
>
>
> Hi
>
> I'm a fresh graduate in System Administrator field. Recently,
> with much
> of luck, i was recommended to a company to implement a
> firewall system
> to their network infrastructure. I hope to pick some experience from
> this forum as to how people in here might consider different
> circumstances when placing their proxy server inside a
> protected network
> (behind the firwall) or before the firewall. Would i need two
> firewalls?
> (i'm considering the Cisco FW, and CyberGuard FW).
>
> During my research, i found a documentation written by a
> blackhat whom
> suggested to allocate DMZ most of my services (httpd, mail,
> etc) outside
> the internal network and make redundancies everynight. My 2nd
> question,
> why did he suggested that? why expose my services outside the network
> where my information are Live and exposed to the risk of
> being compromised.
>
> John
>
- Previous message: Jason Workman: "RE: SOX compliance and assessment"
- In reply to: John: "Proxy & Firewall Implementation"
- Next in thread: Conlan Adams: "RE: Proxy & Firewall Implementation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
