In this lesson we discuss the critical security policies for
the outer firewall, inside firewall, and the DMZ firewall system.
We also apply the reactive security design principle in this design tradeoff.
The iptables also implements stateful firewall
with option -m state where a new session state.
--state NEW option can be specified to
indicate this is a first tcp segment receive for a session.
If the first tcp segment is not set, with a sync frag or
sync bit, then it should be frag as a potential tcp attack or
could be out of sequence segment when [INAUDIBLE].
Here we use bank, which is to bank --sync to represent that kind of situation.
The third iptable rule is added to the forward chain for
logging traffic from eth0 the DMZ side of the network
interface for the inner firewall.
With new tcp segment and the fourth iptable rule dropping.
This is really to implement the security policy number one.
Here we show the DMZ firewall system with three networks
connected by a single firewall.
It will definitely save costs and measurement efforts,
however, when we compare with a dual firewall configuration.
But there are higher chance of messing up the packet
routing and IP table rule implementations.
And that should implement security policy,
that could be a mistake there.
Another consideration is the fault tolerance and cyber resilience.