[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Probably stupid question
From:       chuck <Chuck () Yerkes ! com>
Date:       1998-01-16 15:52:58
[Download RAW message or body]

It is claimed, but unverified, that Ben Lindstrom wrote:
[...] 
> On Thu, 15 Jan 1998, Greg A. Woods wrote:
> I've seen on some ways a better way..But more complex for inbound
> and outbound traffic.
> 
> Inet--router--|Filter Wall|--|FTP Server|-|FireWall|--|Intra|
> 
> This puts the FTP site in a nice DMZ.  You can then play games like..
> "Filter will pass-all-out, but will let only FTP in"  and the Fire Wall
> can have more strick rules and proxies.   However, the only things to
> worry about would be performance loss going from intranet to internet
> since you'd be jumping through one proxy and on filter machine.  

Well, this was the original.  The problem is that the FTP server
must be considered vulnerable; it's running complex software (ftpd)
and has users interacting with it.  It is an unsecure machine.

Now, since we assume it's vulnerable, we should, for the exercise,
assume it's broken into.  Then a sniffer is put on it and 
all I'net <-> firewall traffic is vulnerable.

With this you have two machines to monitor and watch for
your security.  My experience is that this leads to problems
(though it can be done quite well).

At the LEAST, give the ftp server a segment to the FilterWall that's
separate from the Firewall one.1

1) The router/filterwall can be the SAME THING (routers filter)
2) you COULD make the firewall/router the same machine (T1-speed
   cards exist for most platforms).

The cost of 4 port ethernet cards makes it easy to have 2-3 DMZ
zones off of the firewall.  It's really not that hard to maintain
(though generating IPFilter rules would likely be better than
writing them by hand - I use M4 then 'patch'; hardly glorious,
but it takes some of the trivia out of my face).

chuck

[prev in list] [next in list] [prev in thread] [next in thread]