Also, the best practice is to use different firewalls, i.e. different
vendors, in the different layers. The rationale behind is the increase
of skill level required to penetrate different firewalls.

However, I would prefer putting the DMZ to a 3rd NIC on the Outer
Firewall instead.

Cheers,
Eric

Arlen Fletcher wrote:

> It's a layered defense.
>
> -----Original Message-----
> From: Rob Collins [mailto:robtompc@yahoo.com]
> Sent: Thursday, October 04, 2001 2:07 PM
> To: CISSPSTUDY@SECURITYFOCUS.COM
> Subject: "design the firewall system" practice from the CERT Security
> Improvement Modules
>
> Hi all,
>
> I was reading the CERT practice specificied in the
> subject line (it is available here:
> http://www.cert.org/security-improvement/practices/p053.html).
> Within, they talk about firewall architectures. The
> DMZ network (figure 1.6), maps well to the IDS Zone
> Theory Diagram by Scott Sanchez, and makes perfectly
> good sense to me. But the practice suggests, as more
> secure, a dual firewall with DMZ network architecture
> (figure 1.7). It does not provide details as to why
> this architecture is considered to be of increased
> effectiveness.
>
> The dual firewall design places a firewall at the
> external perimeter, which connects to the DMZ network
> (and the internet). On the DMZ network is another
> firewall, which sits at the internal network perimeter.
>
> =====
> --r
> "Experience is that marvelous thing that enables you to recognize a
> mistake when you make it again." -- F. P. Jones
>
> __________________________________________________
> Do You Yahoo!?
> NEW from Yahoo! GeoCities - quick and easy web site hosting, just
> $8.95/month.
> http://geocities.yahoo.com/ps/info1

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]