On Mon, 6 Sep 1999, Ben Nagy wrote:
> Surely one of these devices is redundant. What extra security can a packet
> screen provide if it's right in front of a firewall - if the firewall is
> that insecure then why bother having it?
1- It can provide additional filtering so that the firewall doesn't have
to log completely bogus intrusion attempts. In high-volume or highly
visible environments this can be a godsend for keeping the reaction
threshold alive while still maintaining a reasonable ammount of paranoia
about firewall log incidents.
2- It provides protection from leaking {Ethernet} and invalid {Ethernet}
frames, overrunning NIC buffers, etc. in case the firewall's NIC drivers
or OS don't do a good job. (eg. Suns used to reuse {Ethernet} buffers
without clearing them - in this case it'd be impossible to sniff passwords in
such frames.) Substitute Token Ring, FDDI, or your framing of choice for
{Ethernet}.
3- It ensures that only packets destined for the firewall reach the
firewall in the event that it's misconfigured to route between interfaces
or some other problem (or rogue administrator) leaves the firewall wide-open.
4- It provides extra depth of defense in the case that a problem is found
in the firewall implementation (name one that hasn't had bugs and you've
not been watching closely enough.)
> If the level of trust in the Internal LAN were not great, or the information
> / resources used in the LAN DMZ were that critical, then I guess this
> architecture could be useful.
Trusting a LAN full of insecure hosts with users who'll load anything
over the Internet is generally a bad idea. That's the status quo though :(
> I've seen an interesting architecture...
>
> Net---FW1----R----FW2---R---Internet
> |
> DMZ
I'd put the DMZ off of FW2 and probably add a router on the inside to
protect FW1 from the virus-ridden, ActiveX-tainted whining imbeciles most
people call users :) That would give (more pissing-off ASCII art):
Net---R1----FW1---R2---FW2----R3----Internet
|
DMZ
Full layer-1 protection for each FW, anti-spoof and non-allowed service
protection of each FW, and seperate administration domains between DMZ
security and internal network security. FW2 could even be some stateful
thing, as long as FW1 was a real proxy I'd even be reasonably happy (So'd
my router vendor.) The WebDweebs could have control of FW2, since they
may need to react to a significant market change and we don't want them
playing on the "real" firewall, then it'd take the co-option (and scarily
enough cooperation) of two groups of administrators to open new holes -
three if you let a 3rd group admin the routers or at least R2 :)
There's no inherent trust in any single piece of equipment or technology
in such a design, and there doesn't have to be in any single
administrator either. We've preached redundant mechanisms to offset a
single failure in firewalling for years. Any firewall can be made that
insecure, it's relatively cheap insurance to add screening routers.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
