Re: Defense in DepthOct 27 2004 04:57PM Gautam R. Singh (gautam singh gmail com)
Re: Defense in DepthOct 27 2004 04:27PM Kenneth R Swain II (ken kenswain com) (1 replies)
Let me see if I can clear something up.
----------
| |
| | Internet facing firewall
---------
DMZ
----------
| |
| | Internal firewall
---------
As you can see the DMZ is the area in between the two firewalls. You
really do not want any servers receiving service requests on your most
protected side(behind the internal firewall). You are doing the right
thing by keeping them where they are.
Defense in depth is something that takes layers. You have take one of
the steps with separating what is receiving requests from the internet
from your LAN. You now need to finish out the package. You need AV,
patch management, host based IDS, Network IDS, and auditing just to
name a few. Defense in depth is hard to achieve for a home user since
it means computers that are dedicated to things like IDS. Once you have
these in place you also need configure and tune them. There is no magic
bullet and it will take some work. Good luck.
-Ken
On Oct 27, 2004, at 3:33 AM, Ronish Mehta wrote:
>
> Hi List,
>
> I have a network setup with 2 firewalls
>
> There is a DMZ on the Internet facing firewall
>
> The servers on this DMZ contains servers that host
> both "http" and "https" pages
>
> There are no DMZ on the second firewall
>
> From what I understand, this setup is not providing
> defense in depth, at least not full defense in depth
>
> I wanted to create a DMZ on the second firewall, and
> move servers that host "HTTPS" pages to this new DMZ
>
> Would this new setup improve the security of the
> network?
>
> Thanks for comments,
>
> Ronish
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - You care about security. So do we.
> http://promotions.yahoo.com/new_mail
>
Ken Swain
mail: ken (at) kenswain (dot) com [email concealed]
im: aim:krswain190
web: kenswain.com
"/dev/geek"
----------
| |
| | Internet facing firewall
---------
DMZ
----------
| |
| | Internal firewall
---------
As you can see the DMZ is the area in between the two firewalls. You
really do not want any servers receiving service requests on your most
protected side(behind the internal firewall). You are doing the right
thing by keeping them where they are.
Defense in depth is something that takes layers. You have take one of
the steps with separating what is receiving requests from the internet
from your LAN. You now need to finish out the package. You need AV,
patch management, host based IDS, Network IDS, and auditing just to
name a few. Defense in depth is hard to achieve for a home user since
it means computers that are dedicated to things like IDS. Once you have
these in place you also need configure and tune them. There is no magic
bullet and it will take some work. Good luck.
-Ken
On Oct 27, 2004, at 3:33 AM, Ronish Mehta wrote:
>
> Hi List,
>
> I have a network setup with 2 firewalls
>
> There is a DMZ on the Internet facing firewall
>
> The servers on this DMZ contains servers that host
> both "http" and "https" pages
>
> There are no DMZ on the second firewall
>
> From what I understand, this setup is not providing
> defense in depth, at least not full defense in depth
>
> I wanted to create a DMZ on the second firewall, and
> move servers that host "HTTPS" pages to this new DMZ
>
> Would this new setup improve the security of the
> network?
>
> Thanks for comments,
>
> Ronish
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - You care about security. So do we.
> http://promotions.yahoo.com/new_mail
>
Ken Swain
mail: ken (at) kenswain (dot) com [email concealed]
im: aim:krswain190
web: kenswain.com
"/dev/geek"
[ reply ]