[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Multiple nics on inside of DMZ


On Thu, Nov 14, 2002 at 04:49:22PM -0600, Miller, Jeff - x3328 wrote:
> Thanks for all the replies! 
> The book is "Linux Firewalls-2nd ed". With iptables! 

when you understand the basics of packet filtering it is not really
significant which system you actually use - but of course is a
direct relation to the tools you are using as a beginner sometimes
helpful ;-)

> Someone else had mentioned host-based firewalls too. 

Yupp, guess that was me. 

> Thing is most of the
> machines in the DMZ are Windows based, many with IIS. I'm not getting into
> details since I don't want a big windows-linux war, but simply put I'm going
> to concentrate on securing the DMZ. Plus the IIS servers are not my
> responsibility and I'd rather not touch them.

No need for any war, there sometimes are reasons for that. But
nevertheless even WindowsNT (and 2000/XP) are capable of packet
filtering in some rudimentary way. You should try to have it used...

The question is: Are these Windows hosts basically the same, so if
one can be attacked from the internet, can the others be in the same
way? If yes, there's no sense in splitting them into different DMZs,
because if one is broken into, the others will be as well...

If they are maybe maintained by different administrators, splitting
the DMZ might be sensible.

> Yet at that, I planned on running filter policies on the few Debian
> inter-dmz hosts anyway.

Maybe you should split the DMZ into uncontrollable and controlled

By the way: If you don't relate to the previous eMail, there is no
need to fully quote it.

Ciao, Arne.
 ,``o. OpenBSD        -        Debian GNU/Linux        -        Solaris  >o)
>( ,c@ GPG 1024D/913C2F81 2000-10-11  Arne P. Boettger <apb@createx.de>  /\\
 ',,,' Fingerprint = 6ED9 9A64 CD8A EB6F D841  0391 2F08 8F86 913C 2F81 _\_V

Reply to: