Re: [fw-wiz] Screening Router as a firewall
From: Avishai Wool (avishai_w_at_yahoo.com)
Date: 03/26/05
- Previous message: Jan Tietze: "[fw-wiz] Re: SSL VPN vs. IPSec VPN"
- Next in thread: Kevin: "Re: [fw-wiz] Screening Router as a firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Shimon Silberschlag <shimons@bll.co.il>, firewall-wizards@honor.icsalabs.com Date: Sat, 26 Mar 2005 09:40:43 -0800 (PST)
Shimon,
here is a long answer to your question.
Let's first challenge your premise: what is the purpose of having
multiple firewalls in series? Clearly, the reason is the assumption
that 2 firewalls are more secure than one.
Why should this assumption hold?
After all, if the security policy allows some traffic to reach from
source to destination - then BOTH firewalls will have
the necessary "pass" rules. You need only one of the firewalls to
drop unallowed traffic, so you could possibly save duplicating "drop"
rules, but this is not giving you any more security. So, I conclude that
if both firewalls are correctly enforcing the same policy, their
combined filtering effect is identical to having just one - the other one
is redundant (read "useless").
Another possible reason for the thought that "2 are better than 1"
is "reliability": let's assume that each firewall has a "failure"
probability of p, then the probablity of both failing at the same
time is p^2, right?
wrong! that calculation is correct only if the failure probabilities
are _independent_, which most certainly is not the case for 2 firewalls,
connected in series, configured by the same staff, with the same power grid,
etc etc. their failure probabilities are highly correlated.
Moreover, the main reason of firewall "failure" (which means allowing
bad traffic through) is poor configuration - see citation [1] below.
It's not a power failure or a bug in the vendors code. So duplicating
the hardware, even from different vendors, won't buy you the "failure
independence" your management is looking for. You might get some
independence if you have separate teams configuring the devices -
I doubt if many organizations do this, it sounds like operational hell...
I can think of only 2 rational reasons to have 2 firewalls.
1. performance: you could get a performance boost if your
outer firewall was a fast but "stupid" device: you let it throw
away the obvious junk, and let the slower but smarter device
work on a lighter traffic load.
2. You want to put machines between the firewalls and form a DMZ. this
is fine, and does not contradict my argument from before because the
two firewalls are enforcing different policies now.
With this analysis in mind, I would say that if you want option #1,
then putting filtering access lists on a router in front of the main
firewall is a fine solution. If you want option #2 (DMZ), then you
want real firewalls both in front and behind the DMZ. I wouldn't "skimp"
on the inside firewall because the DMZ could pose as bad a security
risk as the "outside".
In either case I wouldn't rely on a Microsft ISA: it's running the same OS
as many of your internal machines, so it is as vulnerable to malware as
those internal machines. This is where failure probability independence does
make sense: it's plausible that one vendor's bugs are independent of another.
HTH
Avishai
Reference:
[1] A. Wool. A quantitative study of firewall configuration errors.
IEEE Computer, 37(6):62-67, 2004.
http://www.eng.tau.ac.il/~yash/computer2004.pdf
--- Shimon Silberschlag <shimons@bll.co.il> wrote:
> Hello group,
>
> Having a request for at least 2 firewalls protecting internet connectivity,
> would you consider a border router with ACLs as the first firewall, or would
> you demand to implement ACLs on the router and 2 other "traditional"
> firewalls?
>
> If you select the first option, would simple "packet filter" type ACLs
> suffice, or would you demand "stateful" ACLs?
> (I believe Cisco calls its implementation CBAC).
> If you select the second option, would you demand that the 2 firewalls be of
> different brand, different technology or can they be the same product?
>
> Can ISA2004 serve as the second, internal facing firewall? Anyone using it
> as such?
>
> TIA,
>
> Shimon Silberschlag
>
> +972-3-9351572
> +972-50-7207130
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
Avishai Wool, Ph.D.,
http://www.algosec.com http://www.eng.tau.ac.il/~yash
yash@acm.org Tel: +972-3-640-6316 Fax: +972-3-640-7095
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Jan Tietze: "[fw-wiz] Re: SSL VPN vs. IPSec VPN"
- Next in thread: Kevin: "Re: [fw-wiz] Screening Router as a firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
