[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] DMZ, why and why not?

To: "'pradeep@tradeit.com'" <pradeep@tradeit.com>, fw-1-mailinglist@lists.us.checkpoint.com
Subject: RE: [FW1] DMZ, why and why not?
From: James Edwards <jedwards@sos.state.tx.us>
Date: Tue, 7 Sep 1999 14:12:51 -0500

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set. Some ]
    [ characters may be displayed incorrectly. ]


The best and most secure thing to do is never advertise the existence of any
server behind the firewall.  Here is why.

If you advertise your servers to the world, then the world knows about them,
obviously.  These are the most likely targets for breakins.  If someone
breaks into a server that is located in your network (behind your firewall),
he now has access to your entire network.  Basically, your firewall no
longer exists for him.

Now, if your server is in a DMZ with all of your other advertised servers
(email, web, dns, etc), what he gets if he compromises the server is just a
slightly expanded set of what the rest of the world has, just the servers in
your DMZ.  He still has to figure out a way to get thru the firewall to your
internal servers/LAN.  If it is done right, he may not even know that the
internal LAN exists.

I know this is a somewhat simplistic explanation and it is rarely this easy.
Hopefully this shows you how important a DMZ can be and what is is used for.

Jim Edwards
Systems Manager
Texas Secretary of State
jedwards@sos.state.tx.us


-----Original Message-----
From: pradeep@tradeit.com [mailto:pradeep@tradeit.com]
Sent: Tuesday, September 07, 1999 12:49 PM
To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: [FW1] DMZ, why and why not?




Hi All,

I am new to this mailing group, so if there are any etiquettes I have
missed, do forgive me.

I have recently installed and configured Firewall-1 for our LAN.
Currently, I have our Internet Web server in the LAN and am doing
address translation for external access.

There are other servers that I would like to setup, ftp, DNS, etc.
Before I do this, however, I would like to know if there are any
advantages to creating a DMZ and having these servers in there than
keeping them in the LAN, like the web server.

Could anyone out there throw some light on this? Thanks.

Pradeep.

-- 
Pradeep Subramaniam,                    | 
Senior Systems Administrator    	| You can fool some of the people
Versus Technologies  Inc.		|   all the time, but not all the
e-mail: pradeep@tradeit.com		|   people all the time.
phone: (416) 214 7979 			|
fax:   (416) 214 9065                   | - Yet another brilliant
philosopher
cell:  (416) 991 9625			|
****************************************************************************
***


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] implicit client authentication?
Next by Date: [FW1] SecuRemote and Exchange
Prev by thread: RE: [FW1] DMZ, why and why not?
Next by thread: [FW1] HTTPS SECURITY SERVER
Index(es):
- Date
- Thread