On Sun, 6 Feb 2000, Chris Brenton wrote:
> Mikael Olsson wrote:
> >
> > Am I the only one on this list who thinks that a "classic"
> > DMZ with public servers between the firewall and the Internet
> > router is a Bad Idea(tm)?
>
> Depends on your requirements and what you have to work with. I've worked
> with sites that get too much traffic on their public Web server to want
> to let it pass through their firewall. The best fit was to bastion the
> servers and throw them off a second Ethernet port on the border router.
> This prevents sniffing while also stopping the performance degradation
> of passing through a firewall.
>
> Of course if you do not have a second Ethernet port to work with, your
> only option may be on the DMZ.
>
> > To me, it seems that you're just making it a lot easier for
> > attackers to steal connections between the internal network
> > and the Internet, and being PITAs in general. I personally
> > feel alot safer to have public hosts on a 3rd NIC.
>
> The third NIC keep attackers from sniffing outside your firewall but IMO
> they could do this just as easily on your ISP (maybe easier depending on
> the ISP ;). If you are truly worried about the security of the traffic
> leaving your firewall, encrypt it.
>
> With that said, the more firewalls I play with the more I'm convinced
> that there is less of a gap between a Cisco router running Reflexive
> filters and a $15K firewall package than most people think. A proper
> bastion will only offer the ports you need (TCP/80 for HTTP for
> example). Most firewalls do exactly the same thing (block all ports but
> TCP/80). True, an app proxy keeps the two ends from connecting directly,
> but most filtering & proxy products on the market today do very little
> to screen actual content. Even if you can do some content filtering its
> not as efficient as locking down the host itself.
>
> So the third NIC thing is cool if you are unable to lock down the host
> itself. Beyond that, it doesn't buy you much. I seem to remember a
> thread on Wizards where Marcus stated that NRF does not even use a
> firewall to protect the domain, that has to tell you something. ;)
>
> > Heck, if you rely on your border router to "screen" things
> > for you and do logging, you might aswell disregard all the
> > logs as corrupted, since they (usually?) pass right past
> > the very same hosts that might be corrupted (Thinking
> > ARP spoofing, etc etc etc ...)
>
> Thinking switching or alternate port logging. ;)
>
> IMHO there are some things that are easier to do on a router than on a
> firewall. Dropping broadcast mapping from layers 3 to 2 comes to mind.
> Also, while most OS's will drop source routing, you need to recompile
> the kernel to do it. On a router this is a three or four word command.
> Egress filtering is also best done on a router (IMO).
>
> I also like to use a router from blocking out all the "noise". For
> example most environments see 3-4 ping sweeps a day. I know I don't have
> time to follow up on them all so I would rather not see them in my logs.
> Better to /dev/null the garbage and let your firewall only log what is
> truly "interesting".
>
> > Granted, if you can't trust your firewall to be able to provide
> > "services" to your public hosts on a separate NIC, you might
> > not want to have these hosts there. But, if this is true,
> > isn't that kind of a crappy firewall? *flame shield on*
>
> For me, this is more of a "do I want to put all my eggs in one basket"
> kind of question. I have *not* coded or built from scratch any of the
> firewalls I use. Even if I did I would not rely on my coding abilities
> to be 100% perfect. With this in mind, I can't see relying on a single
> security solution to guard my perimeter if a risk analysis shows my
> threat level to be anything above rock bottom. Just because you paid the
> equivalent of a Mustang convertible for that shiny new firewall does not
> mean that its 100% perfect. Better to hedge you bets and leverage the
> other security solutions you have available. Layered security is a good
> thing. I caught a few "crappy" firewalls this way myself. ;)
>
> Cheers,
> Chris
> --
> **************************************
> [EMAIL PROTECTED]
>
> * Multiprotocol Network Design & Troubleshooting
> http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
> * Mastering Network Security
> http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
