Subject: Re: Enhancing my firewall/gateway: Adding a DMZ
To: None <firstname.lastname@example.org>
From: Michael Richardson <email@example.com>
Date: 12/21/2002 17:26:42
-----BEGIN PGP SIGNED MESSAGE-----
seth> However, there really isn't any point in having a DMZ with only one
Seth is using the classic definition of DMZ.
Some companies argued for doing:
This was from companies that couldn't cope with having three interfaces on
their firewall. (because they had an "in" and an "out", and didn't do general
policy). Usually, fwA was packet filter, fwB was application layer.
Once they figured out how to do "Service" networks (a term which BorderWare
coined, and Milkyway Networks used as well), they then continued to abuse the
"DMZ" term to greater confusion. So, I recommend avoiding the term.
/-+-\ service network
Put the web server, and possibly the incoming mail server on the service
network. There should be firewall rules that carefully restricts what can be
done *outgoing* from the service network. In particular, you do *not* want to
enable SSH, telnet, or port 80 outgoing by default. The reason? Because once
the service network machines are compromised (you plan on this assumption),
then they can't be used to attack others. You also have to make sure that
you don't permit any traffic from the service network to the private network.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] firstname.lastname@example.org http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----