[Sussex] WAP Security advice...

Mark Harrison Mark at ascentium.co.uk
Fri Nov 28 10:57:55 UTC 2003


----- Original Message ----- 
From: "Matthew Macdonald-Wallace" <matthew at truthisfreedom.org.uk>
To: "LUG email list for the Sussex Counties" <sussex at mailman.lug.org.uk>
Sent: Friday, November 28, 2003 8:49 AM
Subject: Re: [Sussex] WAP Security advice...


> So the firewall looks something like this?
>
> eth0: external/internet
>
> eth1: DMZ/WAP
>
> eth2: Internal LAN (192.168.x.x\24 etc)
>
> In which case, I presume that you have a few DMZ pinholes into the LAN
> to allow access to file servers etc?

Ooh no - much more complex than that.

eth0: Internet
eth1: DMZ with external facing servers
eth2: Leased lines to suppliers / WAP (multiple IP addresses bound, one for
each third party connection, one for WAP)
eth3: Internal

There are no "zone pinholes". ie - nothing that allows EVERYTHING on the DMZ
to see the Internal.

There are server-specific rules - e.g. there's a rule that says FROM the
relay on the DMZ TO the mail relay on the internal network.

I should point out that this is Checkpoint Firewall-1, so gives some rather
more sophisticated options than Smoothie, particularly in terms of
rule-specific authentication options.

The WAP zone will have no more access to the internal network than the
Internet would.

M.





More information about the Sussex mailing list