routing problem - fork on gateways
Jeremy Fowler
JFowler at westrope.com
Wed Aug 31 16:00:39 CDT 2005
> > So your router and firewall are two separate machines?
> Seems redundant to me, most firewalls do routing as well.
> The only reason you would need a router is if the firewall
> wasn't on the same subnet.
>
> No, it's standard practice for the ultraparanoid.
>
> The idea is, if your outer wall is compromised, hopefully you can
> limit the damage
> before Kevin Mitnick gets all the way into your shorts.
>
> You might want to put a honeypot in there too.
Not in this scenario. The firewall is on the SAME subnet as the router and hosts. If the firewall was compromised, there would be nothing stopping it from attacking the rest of the hosts. In order to establish a DMZ, he needs to place the firewall on a separate subnet off from the rest of the network for it to be secured like in my second example. He would need to VLAN off that connection as well, or use a separate switch not connected to the LAN.
More information about the Kclug
mailing list