>>On the other hand, if you have a small setup like your house, or you just
>>really have no money, you run a three-interface firewall like this:
>>
>>Internet
>> |
>> \/
>>Firewall ----> Internal Network
>> |
>> \/
>> DMZ
More info please.. Learning...
in the setup above..
you said - " 3 interface firewall" i presume eth0, eth1, eth2 something like
that??
so...
Okay.. I give up.. I'm confused... I tink I need to get a book on firewalls.
Any recommendations? Best if it's FREE/Downloadeable.
| Internet|
----------
|
---------------------------------------
|Firewall| (allows tcp 25 and 80 only) (eth0 to www & mail)
(eth1 to intenal lan only)
----------
DMZ DMZ DMZ
|mail server| |www server|
=======================================
|
|
---------------------------------------
Internal Server + workstation/LAN
---------------------------------------
Ps : I don't expect you guys to actually follow through with explanations to
un-confuse this poor soul. :)
Cheers, .^.
Mun Heng, Ow /V\
H/M Engineering /( )\
Western Digital M'sia ^^-^^
DID : 03-7870 5168 The Linux Advocate
-----Original Message-----
From: Rodolfo J. Paiz [mailto:rpaiz@xxxxxxxxxxxxxx]
Sent: Wednesday, October 08, 2003 1:46 AM
To: shrike-list@xxxxxxxxxx
Subject: RE: Which Firewall solutions
At 20:22 10/6/2003, you wrote:
> >>I want to make it just as difficult for them to get into
> >>my internal network as it was to get into the server.
>
>rough drawing.. (Correct understanding?)
Your drawing is good for some scenarios, typically those where you have a
little more money to spend on security and can afford two firewalls. In
such a case Firewall #1 (we'll call it "Outer Firewall") separates the DMZ
from the outside world, and you have a bunch of machines (say three, two
servers and the Inner Firewall) inside the DMZ. Outer Firewall would then
forward port 25 connections to the mail server, port 80 connections to the
web server, and no connections whatsoever to the Inner Firewall.
You set up intruder detection like Snort on the Inner Firewall and monitor
for strange things going on in the DMZ. If someone cracks your Outer
Firewall or one of your servers, they will surely start attempting to
connect to your Inner Firewall, which you _know_ should never happen...
then you react to the intrusion, but at this point your inner network has
not been compromised yet. ANY connection to the Inner Firewall from outside
is considered hostile.
On the other hand, if you have a small setup like your house, or you just
really have no money, you run a three-interface firewall like this:
Internet
|
\/
Firewall ----> Internal Network
|
\/
DMZ
In this drawing, the firewall allows certain traffic through (ports 25 and
80 in our example) specifically from the Internet to the servers in the DMZ
and of course allows nothing into the inner network. The firewall also
specifically allows only port 25/80 requests from the inner network to the
DMZ and no connections from the DMZ to the internal network.
If one of your servers is cracked through a vulnerability in Apache or
Sendmail, then your internal machines are still safe and protected by the
firewall. The reason this is less secure than Scenario #1 above is that you
only have one firewall, with free access to all networks; and if someone
cracks the firewall, they can see and access every machine. This is OK for
smaller networks (like homes or tiny offices), since a Linux box which is
really only JUST A FIREWALL and does nothing else is overall pretty secure
and a low risk.
--
Rodolfo J. Paiz
rpaiz@xxxxxxxxxxxxxx
--
Shrike-list mailing list
Shrike-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/shrike-list
--
Shrike-list mailing list
Shrike-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/shrike-list
