RE: Which Firewall solutions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

At 20:22 10/6/2003, you wrote: 
>>I want to make it just as difficult for them to get into
>>my internal network as it was to get into the server.

rough drawing.. (Correct understanding?)

Your drawing is good for some scenarios, typically those where you have a little more money to spend on security and can afford two firewalls. In such a case Firewall #1 (we'll call it "Outer Firewall") separates the DMZ from the outside world, and you have a bunch of machines (say three, two servers and the Inner Firewall) inside the DMZ. Outer Firewall would then forward port 25 connections to the mail server, port 80 connections to the web server, and no connections whatsoever to the Inner Firewall.

You set up intruder detection like Snort on the Inner Firewall and monitor for strange things going on in the DMZ. If someone cracks your Outer Firewall or one of your servers, they will surely start attempting to connect to your Inner Firewall, which you _know_ should never happen... then you react to the intrusion, but at this point your inner network has not been compromised yet. ANY connection to the Inner Firewall from outside is considered hostile.

On the other hand, if you have a small setup like your house, or you just really have no money, you run a three-interface firewall like this:

Internet
    |
   \/
Firewall  ----> Internal Network
    |
   \/
 DMZ

In this drawing, the firewall allows certain traffic through (ports 25 and 80 in our example) specifically from the Internet to the servers in the DMZ and of course allows nothing into the inner network. The firewall also specifically allows only port 25/80 requests from the inner network to the DMZ and no connections from the DMZ to the internal network.

If one of your servers is cracked through a vulnerability in Apache or Sendmail, then your internal machines are still safe and protected by the firewall. The reason this is less secure than Scenario #1 above is that you only have one firewall, with free access to all networks; and if someone cracks the firewall, they can see and access every machine. This is OK for smaller networks (like homes or tiny offices), since a Linux box which is really only JUST A FIREWALL and does nothing else is overall pretty secure and a low risk.


--
Rodolfo J. Paiz
rpaiz@xxxxxxxxxxxxxx


--
Shrike-list mailing list
Shrike-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/shrike-list
[Index of Archives]     [Fedora Users]     [Centos Users]     [Kernel Development]     [Red Hat Install]     [Red Hat Watch]     [Red Hat Development]     [Red Hat Phoebe Beta]     [Yosemite Forum]     [Fedora Discussion]     [Gimp]     [Stuff]     [Yosemite News]

  Powered by Linux