Re: firewalling and dmz - hmmmm...
From: karl [x y] (jamescagney90210@excite.com)Date: 08/23/02
- Next message: karl [x y]: "Re: Is there a reliable firewall product for Windows XP yet?"
- Previous message: : "Re: firewalling and dmz - hmmmm..."
- In reply to: bad_knee: "firewalling and dmz - hmmmm..."
- Next in thread: Berk S. Daemon: "Re: firewalling and dmz - hmmmm..."
- Reply: Berk S. Daemon: "Re: firewalling and dmz - hmmmm..."
- Reply: bad_knee: "Re: firewalling and dmz - hmmmm..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "karl [x y]" <jamescagney90210@excite.com> Date: Fri, 23 Aug 2002 07:57:11 -0400
"bad_knee" <bl8n8r@yahoo.com> wrote in message
news:e817ca4d.0208230309.5914f6eb@posting.google.com...
> I guess the dmz here would be between hub1 and hub2, but what's
> the advantage? If fwall_a gets cracked, fwall_b is now at risk.
> The only advantage I can see here is I may have a few minutes,
> hours, or weeks before fwall_b is compromised and then my internal
> lan is 'sixed.
A compromise of the first firewall or of a computer in the DMZ does not
necessarily mean that the internal network is going to be penetrated in
another 10 seconds. If you use firewalls from two different vendors, an
intruder that is able to compromise the first layer of security through a
bug of some sort may not be able to get any further.
A more common scenario is for an intruder to use open ports on the firewall
to compromise a host in the DMZ, such as a web server, using a vulnerability
on that server. If and when this happens, I hope you'll agree that it's
much better to have a firewall between that server and your internal network
than having the web server on your internal network. You don't hear too
many people nowadays saying, "We figured a hacker would be able to penetrate
a firewall, so we decided not to use a firewall."
Also, a second firewall [or an IDS] behind your first firewall is probably
necessary to let you know that the first firewall was penetrated. A second
firewall could potentially help you protect your DMZ servers from
unauthorized access from internal users as well.
One possible vulnerability in the firewall setup you mention is that an
intruder could potentially install sniffer software on a compromised DMZ
server and capture the traffic passing between your internal network, the
DMZ and the internet.
Security is not really about trying to make your network 100% impenetrable
as much as it's about using due diligence to reduce risk and prevent being
found legally liable for an intrusion by not taking at least the minimum
reasonable precautions to prevent it from happening.
- Next message: karl [x y]: "Re: Is there a reliable firewall product for Windows XP yet?"
- Previous message: : "Re: firewalling and dmz - hmmmm..."
- In reply to: bad_knee: "firewalling and dmz - hmmmm..."
- Next in thread: Berk S. Daemon: "Re: firewalling and dmz - hmmmm..."
- Reply: Berk S. Daemon: "Re: firewalling and dmz - hmmmm..."
- Reply: bad_knee: "Re: firewalling and dmz - hmmmm..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
