[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: network question - is this unusual?



On Sat, 2009-06-06 at 19:54 -0400, Bill Davidsen wrote:
> I have mixed feeling on that, I think if you don't run a formal DMZ:
> 
> Internet----firewall1--------------------firewall2---internal_pvt_net
>                           |          |
>                         http       smtp
>                          svr        svr
> 
> you are better with the web and mail servers on the firewall than
> inside it, where if the server gets compromised it looks like a
> trusted internal machine.

Hackable thing on the firewall makes it easier to hack the firewall...

If you were going for best practice, your firewall would be just a
firewall, and do nothing else.  And you'd still configure your network
behind the firewall to distrust anything that's not necessary (firewalls
on each machine).

You should certainly do that on any network where it's possible for
someone to connect an extra computer to it, somehow.

Your router could also be more stringent than the usual unconfigured
ones, doing what people commonly think of being the DMZ type of thing:
That only some traffic could go to the web server, and only in certain
directions.

DMZ isn't what most people think - it's allowing unfiltered traffic to
that device on the DMZ zone.  It's not isolating the thing from
everything else.  The opposite, of a firewall, if you please.

-- 
[tim localhost ~]$ uname -r
2.6.27.24-78.2.53.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]