|
||||||||
Hello, I don't really see there being much point in using IPSEC between the DMZ and the LAN. If the DMZ machine was compromised then you have effectively comprised the LAN anyway. I think IPSEC would only be useful if the LAN and DMZ were seperated by another, perhaps untrusted network (or you really don't trust your local network infrastructure). If they are hanging off the same Monowall then you can secure traffic between DMZ and LAN with machine specific rules. The way I would approach this is to use reverse proxies in the DMZ to enforce protocol correctness and security. You would only then only need tiny holes in the firewall (e.g. http and smtp+imap etc). If the DMZ machine is comprised then the attacker only has very limited access to attack the LAN. Regards, Kris. ----- Original Message ----- From: "Lee Sharp" <leesharp at hal dash pc dot org> To: <m0n0wall at lists dot m0n0 dot ch> Sent: Wednesday, October 19, 2005 5:04 AM Subject: Re: [m0n0wall] NT4 networking and m0n0 >> I don't use FP, exchange, printing services etc. So either I get safety >> or convenience. At present the servers can't login to the domain and >> asides from the errors in the logs they appear to be working so I'll go >> with safety. > > You could get the servers to do an IPsec tunnel to the LAN side. A little > complexity, but safety and convenience. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > |