In addition to the "DMZ inside or outside the proxy server" issue,
the 2nd options doesn't show a router at the backend of the complex.
Hence, there are no filtering rules protecting your firewall
(proxy/bastion) from internal attack. This is, in my humbe opinion,
a cardinal error.
On Mon, 19 May 1997, Frederick M Avolio wrote:
> The obvious is that the firewall in the second case protects the DMZ. This
> is a good thing from a security standpoint. Some prefer the first, trading
> off security for speed. The extra security benefit in the second diagram
> mkes it worth it to test both set-ups to see if there really is any
> performance hit for #2.
> At 02:02 PM 5/19/97 +0200, Domenico Viggiani wrote:
> >I'm sorry for the obvious question (peraphs it is a FAQ).
> >What are the differences between this architecture:
> >Internet ----- Router ----- Firewall ----- DMZ ----- Router -----
> >Internal Network
> >and this one:
> >Internet ---- Router ----- DMZ ----- Firewall ----Internal Network
> >I found both of them in two real-world sites but I don't understand well
> >their pro and cons.
> >Thank you in advance.
> >Domenico Viggiani Internet Systems Engineer
> >CAP GEMINI ITALY SpA E-mail: dviggian @
> >Via dei Berio, 91 - 00155 Roma Phone: +39 6 23190 509
Douglas M. MacFarlane
Principal, Vauban Industries