undefined | Better HN

0 pointsNoZebra120vClip2y ago0 comments

> If you used Linux like you would a true firewall

Host-based firewalls are, indeed, fake firewalls, and it's unfortunate that they chose to use the same term for functions that superficially look like they do the same thing, but are way less effective, and encourage bad network design.

The classic architecture for security was: edge router -> firewall -> DMZ -> bastion -> DMZ -> office router

You could put more firewalls, and switches and stuff, in there, but it is really important to have a bastion host as a chokepoint in the DMZ. You could have an IPS doing this instead. Or you could have a proxy server such as SOCKS.

But your firewall is pretty far away from any host that could get bright ideas about messing with it. (Because it is possible for client hosts to mess with router "firewall" settings via UPnP.)

This collapsing of topology also happens with other stuff, like NIDS/HIDS intrusion detection. Yeah, IDS can be more effective in certain ways when it has access to host-based logs and resources. But it's different than an isolated IDS listening on a TAP/SPAN where nobody logs into it and doomscrolls Facebook.

0 comments

2 comments · 1 top-level

chrisshroba2y ago· 1 in thread

What is the DMZ, physically? I've always heard of putting your bastion in a DMZ but is that a conceptual layer or some sort of physical box sitting between the firewall and the bastion, and the bastion and the office router?

NoZebra120vClipOP2y ago

A DMZ is a buffer zone network. The DMZ is intended to be physically protected, and sparsely populated, and only by security-hardened systems with no user accounts and no data of consequence.

j / k navigate · click thread line to collapse