Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] How many firewalls?
  • From: Albert Brandl <albert.brandl@xxxxxxxxxxxxxx>
  • Date: Wed, 16 Jan 2002 09:19:19 +0100
  • Message-id: <20020116091919.A14436@xxxxxxxxxxxxxx>

On Tue, Jan 15, 2002 at 08:30:29PM +0100, Max Lindner wrote:

> I want to set a up a DMZ in my school.
> - Internet -> HARDWARE-ROUTER -> FW(1) -> DMZ -> FW(2) -> Intranet

What do you mean by hardware router? Does it have some packet filtering

> or
> - Internet
> |
> |
> Hardware-Router
> |
> |
> |
> FW
> DMZ _______/\______Intranet
> (I hope, this ascii art is good enough... :-/)

It's fine :-)

You might want to have a look at

Zwicky et al.: Building Internet Firewalls. Second Edition, June 2000.

There are _dozens_ of possible configurations for firewalls. You could
e.g. merge the hardware-router and the firewall into one machine. [Zwicky
et al.]: "You can merge the interior and exterior routers into a single
router, but only if you have a router sufficiently capable and flexible".
Router in this context means a packet filtering router.

> Our school has no good connection and low traffic but this is for a
> skilled work (the german term is 'Facharbeit') and so I want a really
> secure thing (no, I won't cut the cable ;-D).

The best configuration for your network depends on the requirements (which
might sound rather trivial...). If the users in the intranet want to
access services on the internet, you might want to proxy these services on
the firewall or on a machine in the dmz or on a machine in a separate
subnet. Proxies provide another layer of protection since you can
configure what kind of access is allowed.

You could e.g. have the following configuration:

DMZ _______/\___FW2+Proxies____Intranet

FW2 fetches all mail from the mail server, scans them for viruses and
puts them into the mail spool files for the users on the intranet.
It also serves as www proxy (e.g. via squid): All machines on the
intranet are configured with FW2 as proxy.

There are _lots_ of other possible configurations. Maybe it's better
to put the proxies to the DMZ (FW2 is less vulnerable, but packet
filtering rules are more complex). It depends.

The book by Zwicky et al. is really good. If you can get your hands
on it, read Chapter 6: Firewall Architectures.

Best regards,


< Previous Next >
Follow Ups