Bernd Eckenfels wrote:
>
> Hello,
>
> > the only hub in your security it could pose a serious problem). The two hub
> > design is stronlg recommended (and with just the above few thoughts I can
> > see why) in one of the books that I read (I think it was Building Internet
> > Firewalls by Chapman and Zwicky). L8r.
>
> There is a drawback in the two hub design.. you cant control IP Spoofing on
> the second (inner router) very good. Since you dont know if the originator
> in the middle interface is from the internet (the outer router) or from any
> host on the DMZ. This means DMZ Hosts are able to Fake any outside IP
> Address. (and, even worse, sniff the answers. Not that i would recommend any
> authentication based on it).
Yes, in the DMZ the www/ftp...servers really should have a switch.
This makes it much safer. In the book there are some more grave bugs.
Im am working on some corrections, which i will post next weeks.
cu, Guido Stepken
References:
|
|
