> -----Original Message-----
> From: Tony Moran [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 16 August 2000 12:15 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: Syslog thru Firewall
[snip]
> The main
> problem I am going to see is when that three-tier architecture
> moves on from just that. Its quite simple at the moment. Internet
> client, middleware WWW server, backend host. I have been informed
> that soon that backend will soon include multiple
> geographically disparate
> business objects - pulling partner data, customer data etc etc.
In your model, you could just pull all this data in via dedicated links that
come in through the back of the insecure net. You're then treating those
connections as untrusted and still securing your internal and semi-secure
nets against them.
>
> I wonder also whether other enterprise businesses enforce
> authenticated
> (SecurID/PKI etc) access from internal nets to their DMZ's
> for admins and so
> on. Considering the majority (roughly 2/3'rds) of
> 'incidents'are from
> internal issues or employees this would seem to make some
> sense. [snip]
Could be tricky. Personally, I like the idea of being able to perform auth
on a host level - this way one can give some administrators more access than
others. I would hazard a guess that lots of those two thirds involve
disgruntled administrators exceeding privilege. If you want to limit who can
_try_ to authenticate then you can filter at your innermost router. If
you're at a different machine and you suddenly need access, you could use
lock-and-key (on Ciscos) to reconfigure the ACLs on the fly. This is not to
say that the host-based auth couldn't _then_ use some sort of two-factor
method.
> This is the setup here as things stand.
>
>
> Internet
> |
> | Nokia
> _|_ ___
> |RTR|____|FW1|_______insecure-net (WWW servers, external DNS)
> |___| |___|
> |
> _|_
> |FW1|________________host-net (Staging servers, backends)
> |___|
> |
> |
> _|_
> |RTR|
> |___|
> |
> |
> Internal Networks
>
>
> All routers are Firewalling to differing degrees too.
>
> The other advantage of this is that inbound http/domain traffic
> isn't going to affect the mainline Firewall-1 box bandwidth wise
> and rules on each security device is going to be a lot less com-
> plicated. The problems include points of failure and the fact I
> believe 'routers should route and firewalls should firewall'. With
> time hopefully I'll be able to improve on this too.
>
> Any comments on this architecture ?
AUGHHHH ASCII ART! FLEE! FLEE! ;)
If you ever run into speed problems with the frontend servers talking to the
backend servers, you could bring both of the outside connections from the
FW1s into a switch instead of straight into the router. You lose a tiny bit
of security but gain a lot of performance (unless you have a _really_ quick
router). Other than that it looks good to me.
>
>
> Cheers, Tony
Cheers,
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
