Re: what's DMZ

From: Cedric Blancher (blancher@cartel-securite.fr)
Date: 03/21/03 

From: "Cedric Blancher" <blancher@cartel-securite.fr>
Date: Fri, 21 Mar 2003 16:44:59 +0100

Dans sa prose, Wolfgang Kueter nous ecrivait :
>> redirect/alter/DoS LAN
> Depends, but the external packet filter/Firewall/Gateway should offer
> (some) protection against such threats.

If you deal with authorized flows, than external filter cannot do more
than letting it pass...

I forgot to mention spoofing too. You can intercept an HTTP flow, corrupt
it and then resend it with original IP.

> Well, this setup which is very common too, but relies totally on the
> security of _one_ gateway. The other setup offers two lines of defense.

True. As Obiwan pointed out, you can provide this kind of architecture
with more than one gateway?

> Besides that the configuration of the firewall systems/packet filters in
> the first example might include redirections to proxies placed in the
> DMZ and the ruleset of the packet filters might only allow certain
> outgoing connections from those proxies.

Dealing with proxies, I would create another DMZ for them. I do not want
my public servers to stand just next to proxies used by LAN. I think
traffic that is not intended to DMZ must not be carried on the same
ethernet network (i.e. ethernet broadcast domain).

> Though there are risks I'd not call the setup 'fucked up'.

I must confess ;)
You can set an IPSEC tunnel up between the two GW and route LAN-Internet
traffic into it. So, ou're far less exposed to LAN-Internet compromission. 

-- 
printk(KERN_WARNING "%s: Short circuit detected on the lobe\n",
dev->name);
	2.4.0-test2 /usr/src/linux/drivers/net/tokenring/lanstreamer.c