Great Circle Associates Firewalls
(October 1996)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Firewall Configuration
From: lists @ lina . inka . de (Bernd Eckenfels)
Date: Wed, 16 Oct 1996 21:35:19 +0200 (MET DST)
To: frankw @ in . net (Frank Willoughby)
Cc: firewalls @ GreatCircle . com
In-reply-to: <9610151239 . AA08620 @ su1 . in . net> from "Frank Willoughby" at Oct 15, 96 08:39:52 am

Hi,

> o  Configuration #2 has the DMZ protected by the packet filter only
>    (which is essentially NO protection).

It's not that easy. Configuration #2 can be a major Speed improvement.
And for Bastion Hosts in DMZs packet filters are a big security win. They
stop attackers from the outside from ip-spoofing and accessing most of the
Ports of the firewall. That is more than enough in most Environments (IF you
bastion host is securely configured. But if it is not I doubt your firewall
is that effective anyway.)

> Configuration # 1 offers as little protection as configuration # 2.

Configuration #2 still is more secure, since the Packetfilter
in the Firewall can stop the Bastion Host from sending spoofed IP-Packets
which seems to come from the outside. This is especially dangerouse, since
the Hacked Bastion Host is able to snoop the Anserws directed to the Source
of the spoofed Packages. Therefore you can spoof Connections from the DMZ
Host comming from possibel trusted Hosts of the Internet (yes, bad Thing,
but very common).

Configuration 1 is the winner, but only if you can afford it, since you need
a faster Hardware with an additional Network interface. Of course for
low-traffic Sites the Hardare speed inst a big issue.

Greetings
Bernd


References:
Indexed By Date Previous: RE: Checkpoint -
From: rabbi @ www . valuu . net (Rabbi Haim Cassorla)
Next: Re: hacked...
From: Joe Pollock <pollockj @ elwha . evergreen . edu>
Indexed By Thread Previous: Re: Firewall Configuration
From: Frank Willoughby <frankw @ in . net>
Next: WINDOWS 95 SETUP/Hidden files..
From: indy @ aero . gla . ac . uk (Inderjit S Gabrie)

Google
 
Search Internet Search www.greatcircle.com