begin Noah Meyerhans quotation: > > So what are you suggesting, then? This was Will's mail server we're > talking about. First you say it needs to be behind the firewall or else > it's doomed to be cracked, then you say it needs to be in the DMZ.
A DMZ is still behind the firewall. A DMZ is it's own little isolated corner where all traffic to the Internet goes through the firewall, and all traffic to the LAN goes through the firewall. That way, if the server is cracked, it still can't get to anything except on the ports that are "trusted". This enables you to use "insecure" protocols behind your firewall, yet still have net-facing services such as email, with a higher degree of confidence that a security bug in the net-facing box won't compromise your entire network. -- Shawn McMahon | McMahon's Laws of Linux support: http://www.eiv.com | 1) There's more than one way to do it AIM: spmcmahonfedex, smcmahoneiv | 2) Somebody thinks your way is wrong
pgpSphCNDm9zD.pgp
Description: PGP signature
