From: "Greg Scott" <GregScott@InfraSupportEtc.com>
To: lartc@vger.kernel.org
Subject: RE: [LARTC] Beginner
Date: Thu, 23 May 2002 11:58:53 +0000 [thread overview]
Message-ID: <marc-lartc-102215415314131@msgid-missing> (raw)
In-Reply-To: <marc-lartc-102214898810761@msgid-missing>
Why not just do a topology like this:
LAN--------------Firewall
|
|
DMZ with webserver-----+
The perimeter network approach with 2 firewalls seems
much too complex for little if any benefit.
- Greg
-----Original Message-----
From: Rens Houben [mailto:shadur@systemec.nl]
Sent: Thursday, May 23, 2002 6:11 AM
To: alex@bennee.com
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Beginner
On Thu, 2002-05-23 at 12:58, Alex Bennee wrote:
> ewan said:
> >
> >> #Lan--Internal Firewall--- External firewall -- Internet
> >> |
> >> |
> >> webserver
> >
> >
> > what purpose does the internal firewall serve? just plug everything
> > into one firewall and write rules accordingly
> There is nothing wrong with having multiple layers of firewalls. It means
> your haxor has several layers of security to beat - security through depth.
More to the point, you can tell the inner firewall to do masquerading,
while the outer wall does filter-only, so your office LAN is safe where
the haxor can't even touch it until and unless he compromises the inner
firewall (which you can hammer shut to Fort Knoxian levels without
compromising accessibility) while the webserver (and maybe other servers
as well as the need arises) are in the perimeter -- not as well
defended, but accessible from the outside.
> But you can just use iptables on your internal firewall as well. No point
> learning new semantics :-)
Other than the fact that it's fun. :)
> Alex
> www.bennee.com/~alex/
--
Rens Houben | opinions are mine
Resident linux guru and sysadmin | if my employers have one
Systemec Internet Services. |they'll tell you themselves
PGP public key at http://suzaku.systemec.nl/shadur.key.asc -- new Dec
12 2001
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
prev parent reply other threads:[~2002-05-23 11:58 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-05-23 10:15 [LARTC] Beginner Jean Dee
2002-05-23 10:23 ` ewan
2002-05-23 10:58 ` Alex Bennee
2002-05-23 11:11 ` Rens Houben
2002-05-23 11:58 ` Greg Scott [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-102215415314131@msgid-missing \
--to=gregscott@infrasupportetc.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.