What I'm alluding to is essentially a DMZ. I don't automatically refer to a
three-NIC Linux/ipchains firewall by that term because when I first saw the
term used, it was in the context of two separate hardware firewalls with a
Web server etc. in between the two. On the surface of it, I feel like the
three-NIC ipchains approach would be vastly preferable w.r.t. versatility -
the kind of versatility you could probably only obtain with three hardware
firewalls the "old" way.
- Jeff
> -----Original Message-----
> From: Strider Centaur [mailto:">strider@scifi-fantasy.com]
> Sent: Monday, April 24, 2000 10:24 AM
> To: Jeff Hubbs
> Subject: Re: [ale] network security
>
>
> Im no security expert my self, but definitely put the web server
> behind a firewall. Stick it in a DMZ like:
>
> WEB
> :
> :
> Router
> :
> [FW (DMZ)]--HUB----+
> [(MASQ) ] : :
> : : :
> PrivateNet Web1 Web2 ...
>
> The DMZ can either be a less restrictive set of rules that allows
> two way filtered communication using live IPs or a Port Forwarding
> configuration that forwards incoming requests to private IPs and visa
> versa, the later of the two being more secure and can aid in load
> balancing to boot.
>
> I am only guessing you are using Masquerading for the private
> network as it would seem to be suicide to do it any other way. Then
> again I have been in plenty of so called communications companies that
> put live IPs on every desktop. Wasteful and foolish bordering on
> incompetent.
>
> To make it even more secure through in a couple of firewalls
> cascaded and you can get fairly bullet proof, but always remember as
> long as there is a floppy drive, a network cable or a
> monitor, you never
> secure. :-)
>
>
> Jeff Hubbs wrote:
>
> > Brian -In lieu of placing the Web server completely outside the
> > firewall, I think you can add a third NIC to your firewall and hang
> > the Web server off of it. I think (and PLEASE if I'm wrong, correct
> > me!) that ipchains is such that you establish rules between any two
> > interfaces - in the two-interface case, rules between eth0 and eth1
> > are all there is, but if you add an eth2, I think you you
> can make up
> > a "triangle" of rules such that the Web server touches the Internet
> > differently from how the rest of your LAN touches it and
> you can also
> > have some limited contact between your LAN and the Web server (or,
> > safest bet, none at all).- Jeff
> >
> > -----Original Message-----
> > From: Brian K. Murphy [mailto:">bmurphy@maximumhost.net]
> > Sent: Sunday, April 23, 2000 11:52 PM
> > To: ">ale@ale.org
> > Subject: [ale] network security
> > I have a question. I am building a fairly large network
> > consisting of a large number of client machines and servers
> > connected to the Internet through a multi-megabit
> > connection. I need to set up a firewall for security, but I
> > want to put the web server outside the firewall (using the
> > "sacrificial lamb" security model). Now, dumb question is
> > this, how can I go from the router (cisco) to the web server
> > to the firewall to the ethernet switch/network with
> > everything else?? Keith
> >
>
>
>
> PS: does anyone else's spell checker recommend FIREBALLS as a
> replacement for FIREWALLS?
>
>
> --
> Strider Centaur
> http://www.Scifi-Fantasy.com
>
> " It is my observation that unless you really understand
> the issues, you are
> hardly in a position to criticize. Nearly all Linux users
> have used Windows,
> but very few Windows users have used Linux. " -- Me
>
>
>
--
To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message body.