Re: [fw-wiz] RE: firewall-wizards digest, Vol 1 #679 - 2 msgs

From: Paul D. Robertson (
Date: 09/16/02

From: "Paul D. Robertson" <>
To: Larry Wilson <>
Date: Mon Sep 16 06:05:03 2002

On Mon, 16 Sep 2002, Larry Wilson wrote:

> The options mentioned so far are quite valid dependent of functionality of
> the firewalls and a firewall that can be managed with central policies would
> accomplish this readily. However, there is also another option that can be
> considered. This is using a single DMZ (simple firewall) for the servers
> with a centrally managed, policy driven crypto VPN solution that is a host

Actually, VPNs were mentioned in my first reply...

> to host VPN engine. This would allow a set of rules to be set up to
> determine what can talk to what, based on IP, subnet or range and is easily
> reconfigurable. Therefore, if there is a VPN rule that defines host A can
> talk to host B & C, then that is all that *can* happen. Not even a ping will
> work from anywhere else. There is also a good audit capability as well, if
> needed.

The issue with VPNs is the same as with host-based filtering and
routing/ARP solutions- they require the host to maintain its integrity
(and in a network where non-VPN traffic is probably the norm, the require
*all* the hosts sharing layer 2 to maintain their integrity.)

Given that the hosts in question seem to need to talk to the rest of the
Internet (most likely without authentication, or with very weak
authentication), the utility of any encryption-based solution is
fairly low. You're forced to break the encryption boundary for most of
the traffic. That means that an attacker who gains administrator can
simply disable the VPN software (or spoof L2 traffic from the router.)

Given that the boxes are likely to be similarly configured servers, a bug
in one is going to be a bug in all. Also, the systems are going to take a
potentially significant performance hit inspecting each packet to
determine if it should come from a VPN tunnel (probably only an issue if
they're high traffic sites,) or encrypting/decrypting if there's
significant transactional traffic between servers.

If you're going on the premise that you'll stop automated worms, then you
can do about the same thing with static ARP entries, which should be
significantly less expensive (in terms of performance.) Though you could
probably get better granularity out of either a VPN or "personal firewall"
product. The advantage of a personal firewall product over a VPN is that
you don't have to take the encryption/decryption hit on transactional
server<-> server traffic.

None of these solutions inhibit layer 2 attacks in any way, which is why
physical seperation wins.

Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation

Relevant Pages

  • Re: File Sharing and VPN
    ... disable the firewall (just for the test. ... Networking, Internet, Routing, VPN Troubleshooting on ... cannot ping the host. ... When I disable it, I can ping the ...
  • Re:
    ... The firewall won't accept SSH from just any system. ... The VPN setup helps as lot, ... everything (how long will you encryption be good for, ...
  • Re: PIX 515e Problem with VoIP
    ... I'm not running ANY encryption. ... No VPN. ... It's just a firewall with a DMZ, INSIDE, and OUTSIDE. ...
  • RE: Sandboxing
    ... the 3Com Embedded Firewall would be extremely useful and enabling (in ... your case) when you look at it in a VPN context. ... This security policy will accomplish quite a few things: ... During the Policy Server installation, ...
  • Re: Host Computer with ICS cannot be accessed
    ... I have the Main (Host) computer with XP SP1 which is the ICS computer on a ... firewall settings, not that I've found so far, but I'll keep looking. ... >>connection, I can check or uncheck the firewall setting to allow others on ... Is there a way I can tell my Host server to allow the Client ...