[ previous ] [ next ] [ threads ]
 
 From:  "Kristian Shaw" <monowall at wealdclose dot co dot uk>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] NT4 networking and m0n0
 Date:  Wed, 19 Oct 2005 23:59:11 +0100
Hello,

I don't really see there being much point in using IPSEC between the DMZ and 
the LAN. If the DMZ machine was compromised then you have effectively 
comprised the LAN anyway.

I think IPSEC would only be useful if the LAN and DMZ were seperated by 
another, perhaps untrusted network (or you really don't trust your local 
network infrastructure). If they are hanging off the same Monowall then you 
can secure traffic between DMZ and LAN with machine specific rules.

The way I would approach this is to use reverse proxies in the DMZ to 
enforce protocol correctness and security. You would only then only need 
tiny holes in the firewall (e.g. http and smtp+imap etc). If the DMZ machine 
is comprised then the attacker only has very limited access to attack the 
LAN.

Regards,

Kris.

----- Original Message ----- 
From: "Lee Sharp" <leesharp at hal dash pc dot org>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Wednesday, October 19, 2005 5:04 AM
Subject: Re: [m0n0wall] NT4 networking and m0n0


>> I don't use FP, exchange, printing services etc. So either I get safety
>> or convenience. At present the servers can't login to the domain and
>> asides from the errors in the logs they appear to be working so I'll go
>> with safety.
>
> You could get the servers to do an IPsec tunnel to the LAN side.  A little 
> complexity, but safety and convenience.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>