Re: [fw-wiz] RE: firewall-wizards digest, Vol 1 #679 - 2 msgs

From: Paul D. Robertson (
Date: 09/16/02

From: "Paul D. Robertson" <>
To: Larry Wilson <>
Date: Mon Sep 16 06:05:03 2002

On Mon, 16 Sep 2002, Larry Wilson wrote:

> The options mentioned so far are quite valid dependent of functionality of
> the firewalls and a firewall that can be managed with central policies would
> accomplish this readily. However, there is also another option that can be
> considered. This is using a single DMZ (simple firewall) for the servers
> with a centrally managed, policy driven crypto VPN solution that is a host

Actually, VPNs were mentioned in my first reply...

> to host VPN engine. This would allow a set of rules to be set up to
> determine what can talk to what, based on IP, subnet or range and is easily
> reconfigurable. Therefore, if there is a VPN rule that defines host A can
> talk to host B & C, then that is all that *can* happen. Not even a ping will
> work from anywhere else. There is also a good audit capability as well, if
> needed.

The issue with VPNs is the same as with host-based filtering and
routing/ARP solutions- they require the host to maintain its integrity
(and in a network where non-VPN traffic is probably the norm, the require
*all* the hosts sharing layer 2 to maintain their integrity.)

Given that the hosts in question seem to need to talk to the rest of the
Internet (most likely without authentication, or with very weak
authentication), the utility of any encryption-based solution is
fairly low. You're forced to break the encryption boundary for most of
the traffic. That means that an attacker who gains administrator can
simply disable the VPN software (or spoof L2 traffic from the router.)

Given that the boxes are likely to be similarly configured servers, a bug
in one is going to be a bug in all. Also, the systems are going to take a
potentially significant performance hit inspecting each packet to
determine if it should come from a VPN tunnel (probably only an issue if
they're high traffic sites,) or encrypting/decrypting if there's
significant transactional traffic between servers.

If you're going on the premise that you'll stop automated worms, then you
can do about the same thing with static ARP entries, which should be
significantly less expensive (in terms of performance.) Though you could
probably get better granularity out of either a VPN or "personal firewall"
product. The advantage of a personal firewall product over a VPN is that
you don't have to take the encryption/decryption hit on transactional
server<-> server traffic.

None of these solutions inhibit layer 2 attacks in any way, which is why
physical seperation wins.

Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation