Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Kurt Seifried (email@example.com)
Date: Fri Oct 05 2001 - 02:33:23 CDT
> The dual firewall design places a firewall at the
> external perimeter, which connects to the DMZ network
> (and the internet). On the DMZ network is another
> firewall, which sits at the internal network perimeter.
If you wanna be paranoid you allow internel lan to only talk to DMZ, and not
Internet. Conversely you only allow the Internet to talk to DMZ and not
internal LAN. Basically everything MUST pass through the DMZ servers. Makes
hacking a bit harder as you would have to "leap frog". Using non routable
IP's on the firewall's interfaces facing the DMZ for example means that youc
annot attack the internal firewall directly form the Internet.
Ease of management. Building rulesets for a firewall with two interfaces is
easier then three (try building a firewall ruleset with 5 interfaces to see
what I mean =). Plus the Internal firewall can likely be locked down
extremely tight, the external one less so (making access to DMZ possible).
Doing this on one server is more difficult.
Performance/loading issues, firewalling is a problem that can be serialized
reasonably well. The two server design (implemented correctly of course) can
reduce the load on either machine.
You can use different products (which done correctly can also make an
attackers life more difficult), typically most people only want a "simple"
set of rules for the external server (block all acccess in except to certain
DMZ server:port combos). For the internal side you may need something with
authentication, or NAT, or whatever is the case and a different product may
be more appropriate (Firewalls don't just firewall, there is also
authentication, proxying, NAT, etc, etc).
Some other odds and ends too, but they are left as an excercise to the
reader (it's almost 2am and I feel lazy =).