Hm. Tom, why do you presume that the protection offered by a router with decent ACLs is going to be any worse than a firewall? In some cases it's true, but for simple-simon upper layer protocols like HTTP then unless you're using an amazing application proxy (and arguably not even then) you often gain very little and lose speed. The basic argument is that once you're allowing people access to the WWW service then you've lost most of the battle - they can get at all your CGI scripts, ASPs or what-the-hell-ever you have sitting around waiting for a remote exploit. The "Classic" DMZ offers the same level of protection for the internal network, so that's not an issue... Finally, _static_ NAT may be security by obscurity, but dynamic NAT does actually improve security by only making connections to dynamically mapped hosts available for a short time, and only after a connection has been initiated. This is not an issues for incoming WWW and DNS in this case though. Fabio, I would certainly recommend getting those WWW servers out of the internal network and into some kind of DMZ. As Tom points out, this helps prevent the WWW server being used as a staging point to mount an attack on the internal network. Personally, if you have a router, I think you'll get (slightly) better WWW performance and not lose much security by putting the WWW server directly behind the router, as long as you can mess with its access control lists. If it's not your router, I'd hang another NIC off the firewall. Make sure you've taken all the sensible precautions relevent to your particular DNS server - you don't want people to be able to mess with your DNS. Cheers, -- Ben Nagy Network Consultant, CPM&S Group of Companies PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520 > -----Original Message----- > From: Thomas Crowe [mailto:thomas.croweat_private] > Sent: Friday, 8 October 1999 9:59 PM > To: fgbat_private; firewall-wizardsat_private > Subject: RE: DMZ or not ? > > > That depends a lot on what definition of a DMZ your using! > If you mean the > classical definition of a DMZ i.e. in between the router and > the firewall > *unprotected* except by router acl's, then my advice would > be, don't do it, > not under any circumstances! (ok maybe one or two > circumstances). If your > referring to the somewhat more contemporary definition of a > DMZ i.e. another > interface off your firewall, where as all traffic must still > traverse the > firewall, then I would say go for it, that way *when* your > public machines > get hacked your internal network is still protected, this is > good; very good > :-). NAT is a good thing but it is security through > obscurity which isn't > very secure in and of itself. Just my $0.02 > > Thomas Crowe > Production Network Systems Administrator > BellSouth Online > 678-441-7454 > > > -----Original Message----- > > From: owner-firewall-wizardsat_private > > [mailto:owner-firewall-wizardsat_private]On Behalf Of > > fgbat_private > > Sent: Wednesday, October 06, 1999 9:57 AM > > To: firewall-wizardsat_private > > Subject: DMZ or not ? > > > > > > Hello wizards, > > > > Divergences are occurring here im my officce about the use of a > > DMZ, and I hope the wizards will give me some explanations and/or > > secure informations about the better > > implementation. > > > > Currently, we're using Linux as a Firewall Box, with a port > > forwarding to our mail server, that is behind the firewall. > > > > We are in way now, to install a public web server and a DNS > > server. What are de advantages and disadvantages of placing this > > servers behind the firewall and perform > > NAT or Port forwarding, instead of using a DMZ ? > > > > Which of the options shoud I implement here in my officce, to > > have a secure site ? > > > > Thanks and regards, > > > > Fábio Baptista > > fgbat_private > > > > > > >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:42:33 PDT