Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] How many firewalls?
  • From: Steffen Dettmer <steffen@xxxxxxx>
  • Date: Thu, 17 Jan 2002 10:18:02 +0100
  • Message-id: <20020117101802.C16468@xxxxxxxxx>
* Albert Brandl wrote on Wed, Jan 16, 2002 at 09:19 +0100:
> On Tue, Jan 15, 2002 at 08:30:29PM +0100, Max Lindner wrote:
> > - Internet -> HARDWARE-ROUTER -> FW(1) -> DMZ -> FW(2) -> Intranet
>
> What do you mean by hardware router? Does it have some packet filtering
> capabilities?

Does it matters? Well, it's nice to have to different firewalls,
i.e. linux and cisco or linux and BSD or so, since they won't
have the same bugs, if they have.

> The best configuration for your network depends on the requirements
[just let me repeast :)]

> Proxies provide another layer of protection since you can
> configure what kind of access is allowed.

Yes, and with proxies you can do more detailed control, since it
works on application layer and understand the contents of the
packages. With a packet filter, you can drop HTTP packets from
i.e. yahoo.com. With a proxy, you can filter HTTP packets with
gif content from yahoo.com or so.

> You could e.g. have the following configuration:
>
> Internet
> |
> |
> |
> FW1
> DMZ _______/\___FW2+Proxies____Intranet
>
>
> FW2 fetches all mail from the mail server, scans them for viruses and
> puts them into the mail spool files for the users on the intranet.

Why fetching? Why not put an SMTP server in the DMZ which
forwards mail via proxy to internal LAN?

> It also serves as www proxy (e.g. via squid): All machines on the
> intranet are configured with FW2 as proxy.

If you want to have a secure FW2 proxy, I would suggest to
disable packet forwarding at all. Once in kernel via
echo "0" > /proc/***??*/ip*_forward*
and maybe additionally by firewall rules, shouldn't hurt :)

Then you have two networks (from network transports point of
view), it's much harder for an intruder to get in.

> There are _lots_ of other possible configurations. Maybe it's better
> to put the proxies to the DMZ (FW2 is less vulnerable, but packet
> filtering rules are more complex). It depends.

If you put proxies in DMZ only, you cannot disable packet
forwarder and you will rely on firewall rules. This is ok, but
personally I like it more to have no packet forwarding at all; it
is much more easy to check and configure that firewall rules
(well, it may happen that a firewall rule accidentially bypasses
another and so on).

oki,

Steffen

--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

< Previous Next >