Let me see if I can clear something up.
----------
| |
| | Internet facing firewall
---------
DMZ
----------
| |
| | Internal firewall
---------
As you can see the DMZ is the area in between the two firewalls. You
really do not want any servers receiving service requests on your most
protected side(behind the internal firewall). You are doing the right
thing by keeping them where they are.
Defense in depth is something that takes layers. You have take one of
the steps with separating what is receiving requests from the internet
from your LAN. You now need to finish out the package. You need AV,
patch management, host based IDS, Network IDS, and auditing just to
name a few. Defense in depth is hard to achieve for a home user since
it means computers that are dedicated to things like IDS. Once you have
these in place you also need configure and tune them. There is no magic
bullet and it will take some work. Good luck.
-Ken
On Oct 27, 2004, at 3:33 AM, Ronish Mehta wrote:
Hi List,
I have a network setup with 2 firewalls
There is a DMZ on the Internet facing firewall
The servers on this DMZ contains servers that host
both "http" and "https" pages
There are no DMZ on the second firewall
From what I understand, this setup is not providing
defense in depth, at least not full defense in depth
I wanted to create a DMZ on the second firewall, and
move servers that host "HTTPS" pages to this new DMZ
Would this new setup improve the security of the
network?
Thanks for comments,
Ronish
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail
Ken Swain
mail: ken@kenswain.com
im: aim:krswain190
web: kenswain.com
"/dev/geek"
smime.p7s
Description: S/MIME cryptographic signature
