Re: Small network with a single real IP
On Tue, Nov 07, 2000 at 10:20:05AM -0800, jpm@nsimail.com wrote:
> > Should I set up two internal private subnets (one for the ftp/www),
> > and one for the other computers? What kind of communication should I allow
> > between them, in case the www/ftp box gets broken? Is that the way to go?
[...]
> I don't see any benefit in having two subnets, if your FW gets broken into
> then your whole network is in trouble anyway.
I think he means something like that:
- if you have two internal networks X and Y
- hosts x1, x2, ..., xn are connected only to network X
- hosts y1, y1, ..., ym are connected only to network Y
- host r is connected to both X and Y
And box xi is broken into, the attackers still don't have direct access to
network Y. This is particularily true if boxen x* and y* run some lame OS
(as opposed to boxes r and the firewall).
And remember that one can crack a box in numerous ways (e.g. virii).
regards
Marcin
--
+--------------------------------+ The reason we come up with new versions
|Marcin Owsiany | is not to fix bugs. It's the stupidest
|porridge@pandora.info.bielsko.pl| reason to buy a new version
+--------------------------------+ I ever heard. - Bill Gates
Reply to: