But you can have more than one subnet behind your firewall.  One for your
DMZ, and one for machines you don't want accessible from the outside.

Gabe

On Wed, Nov 22, 2000 at 01:37:01AM -0600, Joel Schneider wrote:
> (slow response -- just catching up with Monday's email)
> 
> The "DMZ" style setup isolates the publicly accessible server(s) from
> the internal network.  Its advantage is that, because the server(s) are
> on the other side of the firewall, it's not necessary to open a
> potential avenue of attack on machines behind the firewall by having the
> firewall do port forwarding, thereby exposing services that could
> potentially be exploited.  DNS and email servers might also be placed in
> the "DMZ".
> 
> Putting three NIC cards in the firewall machine looks like a more secure
> approach, though.  Cool idea!
> 
> Beyond turning off telnet and web access, I hadn't really thought much
> about not trusting the 675.  I suppose the web server itself could do
> some packet filtering...
> 
> In any case, it's very comforting to have some decent protection.
> 
> Joel
> 
-- 
--------------------------------------------------------------------------------
Gabe Turner				       |  	   X-President,
UNIX Systems Administrator,		       | Assoc. for Computing Machinery
U of M Supercomputing Institute for	       |    University of Minnesohta
Digital Simulation and Advanced Computation    |       dopp at acm.cs.umn.edu

"I almost shudder at the thought of alluding to the most fatal example of 
 the abuses of grief which the history of mankind has preserved -- the Cross."

								- John Adams
-------------------------------------------------------------------------------