This reminds me of another issue I had with firewall products. Although
i had not made it obvious, the question was framed in the context that the
web server would be in an arbitrary network behind the firewall. It seemed
that a large chunk of firewalls out there do not offer flexible
configurations as far as multiple network interfaces were concerned. How
are large organizations (particularly financial institutions) dealing with
this? Are there people still doing homebrew FWTK/screend setups for large
For example, Borderware offered a third ethernet interface, but called it
Something Special, and charged a huge chunk of money for just the 3rd
interface (for DMZs). No more than 3 interfaces, too.
In talking to resellers for TIS's Gauntlet, some of them were not willing
to set up a firewall with more than 3 (and for one vendor, their limit was
2) interfaces. I was trying to arrange for 4.
In fact, the most surprising thing I heard was that there were resellers
who had not set up firewalls in any other configuration than 2 or 3
interfaces. I'm not sure if this cookbook approach implies a greater
understanding on their part.
This is on top of this stupid problem that product makers insist on weird
terminology for the same things (how many different terms and acronyms are
there for DMZ?), and will (intentionally, or unintentionally) obscure
details such as underlying OS (e.g. what OS does Borderware's black box
reside on? their literature points to BSDI or *bsd, but is never stated).
v: 416 368 3920 x5411
f: 416 368 5505
On Thu, 5 Sep 1996, Adam Shostack wrote:
> I'd go for a demilitarized zone, a third interface off the firewall
> with just the web server.
> Web servers tend to be big, complex, buggy bits of software with
> things like user written cgis that just blow your security. So, if
> you proxy a connection through the firewall to a box thats likely to
> be broken into, you need protection from that box.
> junya @
> | If a network connected to the internet was using a proxy firewall (say,
> | Gauntlet or fwtk), and had an web server behind the firewall which had
> | SSL enabled, what options does the firewall administrator have to ensure
> | that people outside can access the web server inside w/SSL?
> | Someone at TIS said all that needed to be done was to use plug-gw (a
> | generic proxy which just passes bytes) so that the firewall passes
> | traffic. However, given that internal web browsers require a specific SSL
> | proxy service to access SSL enabled web servers on the outside, I don't
> | feel quite convinced. (won't browsers care that the host they're
> | connecting to is different from what the passed certificate information
> | says?)
> | If it's the case that a SSL proxy service is needed for incoming requests,
> | it would seem like the rules would have to be fairly stringent so that
> | someone would not take advantage of it to probe the internal network -
> | like having an HTTP proxy for incoming requests.
> | Can someone explain, before I actually try it out?
> | Junya Ho
> | FSDirect
> | v: 416 368 3920 x5411
> | f: 416 368 5505
> "It is seldom that liberty of any kind is lost all at once."