Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Names and uses for various firewall concepts

    Firewalling
    1
    1
    173
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dmayle
      last edited by dmayle

      It turns out that I have a need of various safety mechanisms with firewalling, and it's been a long time since I did this officially.

      I'm hoping to get help understanding the major concepts.

      Back in the day, the DMZ was a real network that could be accessed by the public internet, but had no access itself back to the private network. As such, any updates to content had to be pushed to machines in the DMZ, which ruled out proxy servers. I don't think the term is used for networks that are quite as strict nowadays, but I have a DMZ, and I'm wondering about whether or not to host a reverse proxy on it, or whether it should be somewhere more secure with just a single port broken through (or maybe whether a DMZ should just be more locked down in general nowadays)

      In my new network, I also have uses for other security mechanisms, but I'm not sure what they're properly called.

      For example, I have some devices that need public internet access, but should have no private network access. Is there a name for that? (e.g. a streaming box)

      I also have some devices that need local-only non-private network (as in, they should never have access to the private networks, and never have access to the public internet), but they have useful information that should be accessible by other machines that don't have this restriction. (For example, an IP camera. It should not be able to exfiltrate data on it's own, but another, more trusted, machine should be able to capture the stream data, and should be able to stream on demand, or backup over the public net). Is there a name for this kind of network? I've been calling it a prison, and the network than can contact it a warden for now.

      And finally, I have a more general question about push versus pull as a security mechanism. For example, how important is it to be strict here? I'd expect that more secure layers in the onion should be able to access less secure layers, and not the other way around, but often the data access patterns are not under my control. (e.g. Imagine if an IP camera was a push device and needed to be connected to push data to the more secure layer, as opposed to the server in the more secure layer pulling data from the camera).

      1 Reply Last reply Reply Quote 0
      • First post
        Last post