are DMZ's out of vogue
Eric W. Bates
ericx at vineyard.net
Wed Oct 3 06:50:24 PDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stephen Clark wrote:
> Hi List,
>
> Our in house network configuration is using FreeBSD for our firewall. We
> currently have it setup with
> 3 interfaces a public, private and DMZ. We our moving to a new facility
> and our network engineer
> says nobody is using DMZs any more and wants to just do NAT redirects
> from our FreeBSD firewall
> to servers on the private network. These servers were on the DMZ in our
> current configuration.
>
> Does this make sense? Is it true that DMZ's have fallen out of vogue?
I don't think they are out of vogue. But we usually use 2 firewalls.
One to separate the DMZ from the Internet (usually the cisco with
dynamic rules), and a second behind the DMZ (usually a FreeBSD box)
before you get to the juicy stuff.
By definition, you don't completely trust the machines in the DMZ.
Because you are inviting the public to poke at ports 25, 80, 143, et al.
on those machines you have to assume they will be exploited at any
moment; so you separate them from your safe world as much as possible.
> Sorry for the off topic post.
>
> Thanks for any input,
> Steve
>
- --
Eric W. Bates
ericx at vineyard.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHA5l6D1roJTQ4LlERAubkAJ0YggFHNwhznUw7ce1f3rOacJ0QugCggBwC
ms+SveSUqeUkOKggjxRNU7U=
=C3Qv
-----END PGP SIGNATURE-----
More information about the freebsd-net
mailing list