RE: Which Firewall solutions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>>I want to make it just as difficult for them to get into 
>>my internal network as it was to get into the server.

rough drawing.. (Correct understanding?)

		| Internet|
		----------
			|
---------------------------------------

	DMZ		DMZ		DMZ

		(Another Firewall here?)    <----Pls Comment

	|mail server|	|www server|
=======================================
			|
		|Firewall|
		----------
		     |
---------------------------------------
	Internal Server + workstation/LAN
---------------------------------------
	
Cheers,                                                 .^.
Mun Heng, Ow                                            /V\
H/M Engineering                                       /(   )\
Western Digital M'sia                                  ^^-^^
DID : 03-7870 5168                          The Linux Advocate

        


-----Original Message-----
From: Rodolfo J. Paiz [mailto:rpaiz@xxxxxxxxxxxxxx]
Sent: Monday, October 06, 2003 9:48 PM
To: shrike-list@xxxxxxxxxx
Subject: RE: Which Firewall solutions


At 07:19 10/6/2003, you wrote:

>I am a bit new to Linux, but for the last three years DMZ on a firewall
>has represented an open, unprotected address.
>
><snip>
>
>In everything I have read and used, the last place to put a server is in
>the DMZ.

Well, Buck, you have just run into another well-known advantage of The 
Linux Way [tm], known as TIMTOWTDI: There Is More Than One Way To Do It. 
Whatever your sources are, you're welcome to go with what they say or 
recommend.

I, on the other hand, will offer the Internet "an open, unprotected access" 
to any part of my network over my dead body. Access to my internal network 
is forbidden entirely, but since I must offer access to my servers (kind of 
the point of having servers, after all) I try to make sure all traffic 
to/from my servers is "demilitarized", i.e. no 
hackers/crackers/script-kiddies welcome. My DMZ and my internal net are 
both behind a firewall and each separate from the other, with traffic 
to/from the DMZ very carefully controlled in all directions.

I want to prevent someone cracking my servers, but when it happens (hasn't 
happened yet in five years, but I see it as an inevitable event, it _will_ 
happen someday), I want to make it just as difficult for them to get into 
my internal network as it was to get into the server.

You don't like my definition...? No problem at all, don't use it. Use any 
other definition you wish that makes you happy. After all, it's your 
network. But since this is a discussion list, let's discuss: Your 
description put mail and web servers (those that need to offer access to 
the outside) in the DMZ, so (a) I'm not sure why this is "the last place to 
put a server" and (b) if I can offer both zones (internal and dmz) the 
protection each deserves and needs, why would I leave one of them bare-ass 
naked?


-- 
Rodolfo J. Paiz
rpaiz@xxxxxxxxxxxxxx


-- 
Shrike-list mailing list
Shrike-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/shrike-list


-- 
Shrike-list mailing list
Shrike-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/shrike-list
[Index of Archives]     [Fedora Users]     [Centos Users]     [Kernel Development]     [Red Hat Install]     [Red Hat Watch]     [Red Hat Development]     [Red Hat Phoebe Beta]     [Yosemite Forum]     [Fedora Discussion]     [Gimp]     [Stuff]     [Yosemite News]

  Powered by Linux