On Sun, Apr 21, 2002 at 02:11:05AM -0400, Shawn McMahon wrote: > A DMZ is still behind the firewall. A DMZ is it's own little isolated > corner where all traffic to the Internet goes through the firewall, and > all traffic to the LAN goes through the firewall. That way, if the > server is cracked, it still can't get to anything except on the ports > that are "trusted". I just don't see how that gets you anything at all if only the "trusted" ports have any services listening on them. I have seen personally a WinNT box, behind a firewall, with only port 80 visible to the world get cracked. Not only was it cracked, but it was then used as a launch pad for an attack on another box that was also in the DMZ. All that was with only port 80 open. Besides that, this has strayed very far from the statement that originally started the conversation. The original claim by David Smead was that putting a host on the network is a recipe for certain disaster, which I claim is utter nonsense. Basically, my approach is to assume that all ports on all hosts are visible to the world. To me, this as a fundamental fact of networking. With this in mind, construct a secure network infrastructure. It can certainly be done; I live in that world every day and have never felt a desire to have a firewall in front of my network. I realize there are other philosophies on network security, I just happen to disagree with them. 8^) noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Attachment:
pgpC9TwdMc0_5.pgp
Description: PGP signature