On Fri, 22 Nov 1996, Daniel Salenger wrote:
> I am working with a client that has the following configuration:
>
>
> {Internet}--[ISP]--[Firewall-1]-[WWW server]-[router]--[internal net]
>
Why not use a three NIC firewall for your DMZ? Like this:
{Internet}--[ISP]--[Firewall]-[router]-[internal net]
|
[DMZ]
Configure the firewall to deny all traffic going from the DMZ to the
internal net (except for the replies to authorized internal users). That
way, if DMZ machines are compromised, your internal net will be protected.
You can still apply filter rules on your internal router for additional
security.
Some firewalls can segment this type of traffic better than other. Check
with your firewall vendor for details.
>
> My train of thought is that if the WWW server is compromised
> (Firewall-1 does not seem to look at the 'insides' of the HTTP packet
> traffic to look for harmful commands and buffer overflows, etc...)
> then an attacker would have a launching point for the next phase of
> the attack which would be against the router. Any thoughts or
> opinions concerning this situation? Thank you for any assistance.
>
> Dan Salenger
> Deloitte & Touche LLP
> dsalenger @
dttus .
com
>
Good luck with your research,
Chris
--
---------------------------------------------------------------------
Chris Carlson http://www.cycon.com
CYCON Technologies info @
cycon .
com
carlson @
cycon .
com (703) 383-0247
CYCON Labyrinth Firewall - Stateful Inspection & Address Translation
---------------------------------------------------------------------
References:
-
DMZ
From: "Daniel Salenger" <dsalenger @
dttus .
com>
|
|
