Firewall behind Router

Thu Jan 3 16:05:12 CST 2002

> -----Original Message-----
> From: Monty J. Harder [mailto:lists at kc.rr.com]
> Sent: Wednesday, January 02, 2002 8:31 PM
> To: jose sanchez; kclug at kclug.org
> Subject: Re: Firewall behind Router
> 
> 
> "jose sanchez" <j_r_sanchez at yahoo.com> wrote:
> 
> > I want both Servers (WWW & FTP, and soon SMTP) to be
> > accessible by the outside world as well as from
> > inside. I can have our ISP forward any WWW request to
> > any internal IP. This is how I am currently running
> > the server. I really don't know how secure our LAN is.
> > My boss just wants a firewall installed and that's my
> > job to get this done. With your help, ideas, input,
> > etc... I would be able to have a better designed and
> > less vulnerable network.
> 
> 
>  Your scheme violates The Prime Directive of Firewalls:  Accept no
> connections from outside the firewall.  The proper way to do 
> this is to put
> the servers in the DMZ, so that connections can be opened to 
> them from any
> domain.  If you must have access to resources within the firewall,
it's
> probably best to restrict those to VPN tunnels (you can even have the
> machine inside the firewall open the tunnel) which provide 
> authentication
> and encryption as additional security.
> 
Well, I have to disagree a little here [even if though it is against the
prime directives]. Of course it depends on how you define a DMZ. We have
a Router on our outside connection, it does some firewalling. Behind
that is a switch, behind that is a firewall. The firewall directs
traffic to the various web and mail servers and the LAN. Even the WAN
goes through the outside router (over a dedicated line). I have my own
web/mail server outside the firewall. Now you could call the
Router/switch combo the DMZ, or you could call our configuration a
double firewall. There is no ftp server, although we are looking at
this, and it would/will be outside the firewall (inside the firewalling
router). I would agree that the ftp server needs to be outside the
firewall. 

[sidebar: Or better yet use a secure FTP protocol, perhaps wrapped in
SSL. This may make it a little less universally usable, but much more
secure. FTP is, in my opinion, the single worst protocol to implement.
SMTP being second. Of course I am excluding telnet and r* because they
are just so patently insecure and dangerous no one should even consider
using them, period.]

I feel that the mail server and web server are better behind the
firewall. I also feel they should be dedicated and all ports closed on
them except for the ports they need to do that one function. In fact
everything should be behind some kind of firewall, so one can stop
intruders before they can get anywhere. If that means having two
firewalls, so be it. For a commercial enterprise the added security is
well worth the investment. A single intrusion event will easily cost
more than that second firewall.