Re: [fw-wiz] Screening Router as a firewall

From: Kevin (kkadow_at_gmail.com)
Date: 03/24/05

  • Next message: vbwilliams_at_neb.rr.com: "Re: [fw-wiz] Screening Router as a firewall"
    To: firewall-wizards@honor.icsalabs.com
    Date: Thu, 24 Mar 2005 14:20:50 -0600
    
    

    On Thu, 24 Mar 2005 15:37:57 +0200, Shimon Silberschlag
    <shimons@bll.co.il> wrote:
    > Having a request for at least 2 firewalls protecting internet connectivity,
    > would you consider a border router with ACLs as the first firewall, or would
    > you demand to implement ACLs on the router and 2 other "traditional"
    > firewalls?

    Can you show a simple ASCII diagram of what you mean by
    "at least 2 firewalls" and by "protecting internet connectivity"?

    What threats are being protected against by this design?

    Are you referring to making internet-accessible servers the "meat"
    in a firewall sandwich, or just loading up two sets of firewalls back-
    to-back with crossover cables?

    > If you select the first option, would simple "packet filter" type ACLs
    > suffice, or would you demand "stateful" ACLs?

    A "filter router" on the edge is a good thing. It doesn't count as being
    a "firewall" but that doesn't mean it isn't useful. You can stop quite a
    bit of the internet background noise with a few simple stateless ACLs,
    and with good egress filtering, avoid contributing to the problem.

    > (I believe Cisco calls its implementation CBAC).
    > If you select the second option, would you demand that the 2 firewalls be of
    > different brand, different technology or can they be the same product?

    There's no real benefit to be had in layering two identical but physically
    distinct firewalls of the same brand and design. The only place you
    might see this done is where the two sets of firewalls are managed by
    two independent groups, such as in a B2B connection or a particularly
    schizophrenic organization.

    > Can ISA2004 serve as the second, internal facing firewall?
    > Anyone using it as such?

    I have a hard time even using "ISA2004" and "firewall" in the same sentence.

    Kevin Kadow
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: vbwilliams_at_neb.rr.com: "Re: [fw-wiz] Screening Router as a firewall"

    Relevant Pages

    • Re: [fw-wiz] Screening Router as a firewall
      ... > Having a request for at least 2 firewalls protecting internet ... > would you consider a border router with ACLs as the first ...
      (Firewall-Wizards)
    • Re: Diff ways to prevent DoS and DDoS
      ... Firewalls and ACL can never stop DoS attacks as they can stop only ... firewalls or ACLs to block DoS/DDoS attacks.... ... There *are* two relevant limitations of firewalls and ACLs, ...
      (Security-Basics)
    • RE: Diff ways to prevent DoS and DDoS
      ... Firewalls and ACL can never stop DoS attacks as they can stop only ... firewalls or ACLs to block DoS/DDoS attacks.... ... There *are* two relevant limitations of firewalls and ACLs, ...
      (Security-Basics)
    • Re: Diff ways to prevent DoS and DDoS
      ... I guess I should have said ACL and firewalls alone are not sufficient ... as these can block only known attack methodologies or defined traffic. ... firewalls or ACLs to block DoS/DDoS attacks.... ...
      (Security-Basics)
    • Re: using routers ACL to substitute firewall
      ... First generation firewalls were basically Router's ACLs. ... filter application protocols, which is not possible by Router ACLs. ...
      (comp.security.misc)