[NCLUG] Network configuration

Quent quent at pobox.com
Fri Oct 27 15:51:47 MDT 2000 

There are numerous approaches to firewalling.

Sean's modification (network cards are cheap) gives you a way to block
everything but HTTP packets to the web server.

That's a lot more secure than the way I drew it, where the web server is
wide open to the Internet and your only security is in packet filtering
done on the web server itself.

With the 3 NIC design the firewall could block any traffic leaving the
web server, so if the web server was cracked it couldn't be used to
launch attacks on other machines or send spam and so on.

Another design is to have two packet filter boxes.  Replace the hub with
another packet filter and put a hub between the two packet filters and
call that LAN segment the DMZ.

	Quent

On Fri, Oct 27, 2000 at 07:18:05PM +0000, dobbster wrote:
> Sorry for the naive question, but does this diagram imply that the
> firewall system should have three NICs?
> 
> I thought that a web server in the DMZ would be plugged directly into
> the hub at the top.
> 
> Mark (dobbster at frii.com)
> 
> > > Presumably you meant:
> > >
> > > >            <----{dsl}---------[ hub ]
> > > >                                 |
> > > >                                 |
> > > >                 ^   ============|=========================
> > > >                 |               |
> > > >                 |               | +------+
> > > >                DMZ              | |      |
> > > >                 |         [firewall] [web server]
> > > >                 |               |
> > > >                 v   ============|=========================
> > >
> > > Otherwise it wouldn't really be a DMZ...
> > >
> > > >If you used port redirection, or NAT, to have a web server where I've
> > > >shown workstations, that would work but there's a risk.  If the web
> > > >server was cracked, they would be on a machine on your private network.
> > >
> > > Though if the only thing that's port-forwarded was port 80, they'd be
> > > reasonably limited in what they can do.  "Ok, now I've used the web
> > > server to create a root-level login, now I just telnet in and...  Dang!".
> > >
> > > Sean
> > > --
> > >  Do bad programmers wake up on Christmas morning to find coal in
> > >  their sockets?  -- Sean Reifschneider
> > > Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
> > > tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python
> > > _______________________________________________
> > > NCLUG mailing list
> > > NCLUG at nclug.org
> > > http://www.nclug.org/mailman/listinfo/nclug
> > >
> > >
> > _______________________________________________
> > NCLUG mailing list
> > NCLUG at nclug.org
> > http://www.nclug.org/mailman/listinfo/nclug
> _______________________________________________
> NCLUG mailing list
> NCLUG at nclug.org
> http://www.nclug.org/mailman/listinfo/nclug
> 
>

More information about the NCLUG mailing list