NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Best Practice?!



In reply to #2, I am assuming your theory is that if the first firewall
is somehow compromised that having the 2nd one a different vendor/type
would perhaps add a secondary layer of protection.

If you have a lot of money to burn and are willing to incur significantly
more administrative overhead and complexity, sounds like that might work.

I think you might spend your time and money more wisely stengthening
your single firewall and tightening your rulebase, along with good intrusion
detection systems.

If it were up to me, I would install two firewalls in parallel and use
a foundry switch to load balance traffic from two routers taking full
internet routes so you have good redudancy. 

In reply to #1, I would not have member servers in DMZ unless absolutely
necessary. I guess it depends on your definition of "DMZ". If you mean
a network segment that is completely exposed to internet without any
rules etc, then I would suggest not running ANY servers there. Lots of
these SOHO "firewalls" have no rule base and DMZ is just wide open.

If DMZ means a network segment that has "some" access to the internet
and rules defining service availability, then you might be able to
run a bastion host that actually does NLTM authentication to your domain
but you should be extremely carefull how this server is setup and be
very carefull to ensure that if/when it gets compromised it is detected
quickly and there should be a means to quickly restore it to it's proper
state. This means running software like tripwire/intact, rembo, etc etc.

If DMZ means a network segment that is secured but has no access to the
internet and is only used for internal security purposes, then allowing
it to be a member server is less of an issue.

I don't know if I like the term DMZ. I prefer to call them "legs" and
they may be seperate network segments/vlans with rules defining their
allowed traffic, authentication etc. You might have 3 legs, 5 legs or
more depending on what your situation is..


-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of Ivan
Fox
Sent: Saturday, January 13, 2001 2:29 PM
To: fw-wiz; fw-1-mailinglist (e-mail)
Subject: [FW1] Best Practice?!



Are the following two items "best practices"?  Your comments are
appreciated.

1) All NT-based servers in a DMZ should be stand-alone servers, not member
servers of a NT Domain?

2) If two firewalls in serial, they should be of different make, for
instance, Check Point on NT and Check Point on Solaris or Check Point and
PIX?!




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.