If you operate in between the router and the firewall, you lose the stateful inspection capabilities of your firewall. You also lose some other protection like syn flooding detection and prevention. Also unless you have a router guru on staff it is much easier to enforce security polcies on a firewall than a router. Many routers will do many of the functions of a firewall, espc. if you get something like the Cisco IOS firewall feature set, and yes you can even prevent things like syn flooding with a router, but it is a magnitude more diffucult. Thomas Crowe Production Network Systems Administrator BellSouth Online 678-441-7454 > -----Original Message----- > From: Moore, James [mailto:James.Mooreat_private] > Sent: Friday, October 08, 1999 6:53 PM > To: Thomas Crowe; fgbat_private; firewall-wizardsat_private > Subject: RE: DMZ or not ? > > > Could someone expand on this advice, and list/explain the additional risks > assumed by operating between the router and firewall (as opposed to > operating off a third firewall interface)? > > James Moore > > > -----Original Message----- > > From: Thomas Crowe [SMTP:thomas.croweat_private] > > Sent: Friday, October 08, 1999 7:29 AM > > To: fgbat_private; firewall-wizardsat_private > > Subject: RE: DMZ or not ? > > > > That depends a lot on what definition of a DMZ your using! If you mean > > the > > classical definition of a DMZ i.e. in between the router and > the firewall > > *unprotected* except by router acl's, then my advice would be, don't do > > it, > > not under any circumstances! (ok maybe one or two > circumstances). If your > > referring to the somewhat more contemporary definition of a DMZ i.e. > > another > > interface off your firewall, where as all traffic must still > traverse the > > firewall, then I would say go for it, that way *when* your > public machines > > get hacked your internal network is still protected, this is good; very > > good > > :-). NAT is a good thing but it is security through obscurity > which isn't > > very secure in and of itself. Just my $0.02 > > > > Thomas Crowe > > Production Network Systems Administrator > > BellSouth Online > > 678-441-7454 > > > > > -----Original Message----- > > > From: owner-firewall-wizardsat_private > > > [mailto:owner-firewall-wizardsat_private]On Behalf Of > > > fgbat_private > > > Sent: Wednesday, October 06, 1999 9:57 AM > > > To: firewall-wizardsat_private > > > Subject: DMZ or not ? > > > > > > > > > Hello wizards, > > > > > > Divergences are occurring here im my officce about the use of a > > > DMZ, and I hope the wizards will give me some explanations and/or > > > secure informations about the better > > > implementation. > > > > > > Currently, we're using Linux as a Firewall Box, with a port > > > forwarding to our mail server, that is behind the firewall. > > > > > > We are in way now, to install a public web server and a DNS > > > server. What are de advantages and disadvantages of placing this > > > servers behind the firewall and perform > > > NAT or Port forwarding, instead of using a DMZ ? > > > > > > Which of the options shoud I implement here in my officce, to > > > have a secure site ? > > > > > > Thanks and regards, > > > > > > Fábio Baptista > > > fgbat_private > > > > > > > > > >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:42:32 PDT