Designing and Using DMZ Networks to Protect Internet Servers
Naturally, you want to carefully restrict traffic from the outside world to the DMZ. But it's equally important to carefully restrict traffic from the DMZ to your internal network (to protect it in the event that a DMZ host is compromised) and from the DMZ to the outside world (to prevent a compromised DMZ host from being used to attack other networks).
It goes without saying that you'll probably want to block all traffic from the Internet to internal hosts. (You may or may not feel a need to restrict traffic from the internal network to the DMZ, depending on what type of access internal users really need to DMZ hosts and how much you trust internal users.) In any event, your firewall-security policy will be much more effective if your firewall can distinguish between legitimate and phony source-IP addresses. Otherwise, it might be possible for an external user to slip packets through the firewall by forging internal source IPs.
By default, most firewalls don't have this functionality enabled (the feature is usually called something like anti-IP-spoofing. Even if your firewall supports it, you'll probably have to configure and start it yourself. It's well worth the effort, though.
Today five randomly drawn entrants will win:
Rock, Paper, Scissors, Lizard, Spock mug and LJ subscription
Enter to Win
|December Daily Giveaways are Back!||Dec 01, 2015|
|December 2015 Video Preview||Nov 30, 2015|
|Take Control of Your PC with UEFI Secure Boot||Nov 30, 2015|
|Geek Hide-away in Guatemala - Stay for Free!||Nov 26, 2015|
|Microsoft and Linux: True Romance or Toxic Love?||Nov 25, 2015|
|Non-Linux FOSS: Install Windows? Yeah, Open Source Can Do That.||Nov 24, 2015|
- Take Control of Your PC with UEFI Secure Boot
- Cipher Security: How to harden TLS and SSH
- Non-Linux FOSS: Install Windows? Yeah, Open Source Can Do That.
- December Daily Giveaways are Back!
- Web Stores Held Hostage
- Firefox's New Feature for Tighter Security
- Microsoft and Linux: True Romance or Toxic Love?
- Geek Hide-away in Guatemala - Stay for Free!
- diff -u: What's New in Kernel Development
- PuppetLabs Introduces Application Orchestration