RE: Which Firewall solutions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



First of all, "old school" <> "old age" (I'm 45).  It may very well
indicate an old instructor, though.

We are in agreement on protecting our servers.  We just differ on where
the DMZ is.  

Thanks for the comments.

Take care,
Buck

  

-----Original Message-----
From: shrike-list-admin@xxxxxxxxxx [mailto:shrike-list-admin@xxxxxxxxxx]
On Behalf Of Rodolfo J. Paiz
Sent: Monday, October 06, 2003 11:00 AM
To: shrike-list@xxxxxxxxxx
Subject: RE: Which Firewall solutions


At 08:19 10/6/2003, you wrote:
>I can understand where different people have adopted different
>definitions to DMZ, but it appears that the firewall industry uses the 
>DMZ to refer those computers made available to the internet.

Available to the Internet, yes. Subject to direct access on some ports
by 
total strangers and therefore at much higher risk, yes.

Bare-assed naked, no. Computers in the DMZ should _also_ have firewall 
protection; as in your example, my webserver has all but tcp/80 requests

blocked from the Internet at the firewall. But by definition they must
be 
accessible, so they have less protection.

The key difference from what you and I are saying is that your equipment
is 
leaving the DMZ totally open. I try to protect the DMZ also. I don't use

the small SOHO hardware firewalls much, I'm happier using an old P/100
with 
a minimal RH9 install and configuring iptables with Shorewall. Overall
it's 
much more flexible, and I also then put DNS, DHCP, and NTP service on
that 
firewall box so it pretty much runs the network automatically.

>You might be from the "old school" and before it was altered.

<laugh> Well, at age 31 and in this arena I suppose it was only a matter
of 
time before someone started calling me old.

>The DMZ is most dangerous as it is
>in front of the protection of the front line.

Using that analogy, then the DMZ has no protection at all. In that case,

the enemy roams the DMZ freely. And that's not very "demilitarized" is
it?

>Therefore, systems in the
>DMZ would need to protect themselves.  For example, a web server might
>close all ports but port 80.  It would protect itself as best possible 
>and still be isolated from the internal network.

All servers should protect themselves. But why not _also_ protect them
with 
a firewall?


-- 
Rodolfo J. Paiz
rpaiz@xxxxxxxxxxxxxx


-- 
Shrike-list mailing list
Shrike-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/shrike-list





-- 
Shrike-list mailing list
Shrike-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/shrike-list

[Index of Archives]     [Fedora Users]     [Centos Users]     [Kernel Development]     [Red Hat Install]     [Red Hat Watch]     [Red Hat Development]     [Red Hat Phoebe Beta]     [Yosemite Forum]     [Fedora Discussion]     [Gimp]     [Stuff]     [Yosemite News]

  Powered by Linux