[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Small network with a single real IP

On Tue, Nov 07, 2000 at 10:20:05AM -0800, jpm@nsimail.com wrote:
> > Should I set up two internal private subnets (one for the ftp/www),
> > and one for the other computers? What kind of communication should I allow
> > between them, in case the www/ftp box gets broken? Is that the way to go?

> I don't see any benefit in having two subnets, if your FW gets broken into
> then your whole network is in trouble anyway.

I think he means something like that:
 - if you have two internal networks X and Y
 - hosts x1, x2, ..., xn are connected only to network X
 - hosts y1, y1, ..., ym are connected only to network Y
 - host r is connected to both X and Y

And box xi is broken into, the attackers still don't have direct access to
network Y. This is particularily true if boxen x* and y* run some lame OS
(as opposed to boxes r and the firewall).

And remember that one can crack a box in numerous ways (e.g. virii).


+--------------------------------+ The reason we come up with new versions
|Marcin Owsiany                  | is not to fix bugs. It's the stupidest
|porridge@pandora.info.bielsko.pl| reason to buy a new version
+--------------------------------+ I ever heard.            - Bill Gates

Reply to: