Re: Firewall

To: <debian-firewall@lists.debian.org>
Subject: Re: Firewall
From: Giacomo Mulas <gmulas@ca.astro.it>
Date: Thu, 23 Aug 2001 11:36:43 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.4.33.0108231125230.4629-100000@capitanata.ca.astro.it>
Reply-to: Giacomo Mulas <gmulas@ca.astro.it>
In-reply-to: <[🔎] 3B84CA6A.5A0B2C77@visi.com>

On Thu, 23 Aug 2001, Bryan Andersen wrote:

> Manu Heirbaut wrote:
>
> With three NICs you can have a DMZ for internet accessible
> servers that is totally separate from you local systems network.
> This way you can set more restrictive firewall rules for the
> machines in the DMZ.  I use a DMZ for my web and DNS servers.
> They have a very high level of restriction on what they are
> able to do network wise.  On the other hand my general use
> systems are behind much less restrictive filtering rules.
> For an example the machines on the DMZ segment aren't allowed
> to make WEB, telnet, or ftp connections to other systems,
> even my general use systems.  The DMZ systems can't access
> any of my general use systems except via ssh.  I've also made
> it really hard for them to do general scanning as most ports
> are blocked from going out at the firewall.

I agree. I have a similar setup here. To sum it up, I have a protected LAN
which can establish almost any outgoing connections but is shielded
against just about any connection coming from the outside; then I have a
DMZ containing the servers which must, for their very nature, offer some
sort of services to, or be accessed from, the Internet at large, such as
the web server, ftp server, mailserver etc.: these latter servers are
therefore somewhat more at risk of being compromised (although i try to my
best to keep them as secure as possible), and are thus disallowed to
establish any outgoing connection, to minimise the possible amount of
damage a break-in could cause.

If you really wanted to be paranoid, you would want every possibly
vulnerable server connected to a separate wire altogether, to better
contain any incidents, but usually most of us settle with a single DMZ.

Bye
Giacomo

-- 
_________________________________________________________________

Giacomo Mulas <gmulas@ca.astro.it, giacomo.mulas@tin.it>
_________________________________________________________________

OSSERVATORIO  ASTRONOMICO
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 216     Fax : +39 070 71180 222
_________________________________________________________________

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)
_________________________________________________________________

Reply to:

References:
- Re: Firewall
  - From: Bryan Andersen <bryan@visi.com>

Prev by Date: Re: Firewall
Next by Date: FW: Firewall
Previous by thread: Re: Firewall
Next by thread: Re: Firewall
Index(es):
- Date
- Thread