Re: [fw-wiz] Screening Router as a firewall
jfvanmeter_at_comcast.net
Date: 03/30/05
- Previous message: Rob Hughes: "Re: [fw-wiz] Site-to-Site VPN Gateway behind NAT device"
- Maybe in reply to: Shimon Silberschlag: "[fw-wiz] Screening Router as a firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Wed, 30 Mar 2005 13:16:54 +0000
I have seen a setup that had two firewalls, the first was a PIX and the second was Checkpoint. The reason for two firewalls and two different vendors are.
1. The area between the two firewalls would be a screening subnet and you could host your email servers, content filterings systems, DNS, etc.
2. Rules can be split between the two firewalls
3. The reason for two different vendors is, if one vendor has an exploit and the perimeter firewall is compromised, the second firewall keeps any malicious activity out... ok hopefully out....
-------------- Original message --------------
> Shimon,
>
> here is a long answer to your question.
>
> Let's first challenge your premise: what is the purpose of having
> multiple firewalls in series? Clearly, the reason is the assumption
> that 2 firewalls are more secure than one.
> Why should this assumption hold?
>
> After all, if the security policy allows some traffic to reach from
> source to destination - then BOTH firewalls will have
> the necessary "pass" rules. You need only one of the firewalls to
> drop unallowed traffic, so you could possibly save duplicating "drop"
> rules, but this is not giving you any more security. So, I conclude that
> if both firewalls are correctly enforcing the same policy, their
> combined filtering effect is identical to having just one - the other one
> is redundant (read "useless").
>
> Another possible reason for the thought that "2 are better than 1"
> is "reliability": let's assume that each firewall has a "failure"
> probability of p, then the probablity of both failing at the same
> time is p^2, right?
> wrong! that calculation is correct only if the failure probabilities
> are _independent_, which most certainly is not the case for 2 firewalls,
> connected in series, configured by the same staff, with the same power grid,
> etc etc. their failure probabilities are highly correlated.
>
> Moreover, the main reason of firewall "failure" (which means allowing
> bad traffic through) is poor configuration - see citation [1] below.
> It's not a power failure or a bug in the vendors code. So duplicating
> the hardware, even from different vendors, won't buy you the "failure
> independence" your management is looking for. You might get some
> independence if you have separate teams configuring the devices -
> I doubt if many organizations do this, it sounds like operational hell...
>
> I can think of only 2 rational reasons to have 2 firewalls.
>
> 1. performance: you could get a performance boost if your
> outer firewall was a fast but "stupid" device: you let it throw
> away the obvious junk, and let the slower but smarter device
> work on a lighter traffic load.
>
> 2. You want to put machines between the firewalls and form a DMZ. this
> is fine, and does not contradict my argument from before because the
> two firewalls are enforcing different policies now.
>
> With this analysis in mind, I would say that if you want option #1,
> then putting filtering access lists on a router in front of the main
> firewall is a fine solution. If you want option #2 (DMZ), then you
> want real firewalls both in front and behind the DMZ. I wouldn't "skimp"
> on the inside firewall because the DMZ could pose as bad a security
> risk as the "outside".
>
> In either case I wouldn't rely on a Microsft ISA: it's running the same OS
> as many of your internal machines, so it is as vulnerable to malware as
> those internal machines. This is where failure probability independence does
> make sense: it's plausible that one vendor's bugs are independent of another.
>
> HTH
> Avishai
>
> Reference:
>
> [1] A. Wool. A quantitative study of firewall configuration errors.
> IEEE Computer, 37(6):62-67, 2004.
> http://www.eng.tau.ac.il/~yash/computer2004.pdf
>
>
>
> --- Shimon Silberschlag wrote:
> > Hello group,
> >
> > Having a request for at least 2 firewalls protecting internet connectivity,
> > would you consider a border router with ACLs as the first firewall, or would
> > you demand to implement ACLs on the router and 2 other "traditional"
> > firewalls?
> >
> > If you select the first option, would simple "packet filter" type ACLs
> > suffice, or would you demand "stateful" ACLs?
> > (I believe Cisco calls its implementation CBAC).
> > If you select the second option, would you demand that the 2 firewalls be of
> > different brand, different technology or can they be the same product?
> >
> > Can ISA2004 serve as the second, internal facing firewall? Anyone using it
> > as such?
> >
> > TIA,
> >
> > Shimon Silberschlag
> >
> > +972-3-9351572
> > +972-50-7207130
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@honor.icsalabs.com
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> >
>
> Avishai Wool, Ph.D.,
> http://www.algosec.com http://www.eng.tau.ac.il/~yash
> yash@acm.org Tel: +972-3-640-6316 Fax: +972-3-640-7095
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Small Business - Try our new resources site!
> http://smallbusiness.yahoo.com/resources/
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Rob Hughes: "Re: [fw-wiz] Site-to-Site VPN Gateway behind NAT device"
- Maybe in reply to: Shimon Silberschlag: "[fw-wiz] Screening Router as a firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
