RE: [fw-wiz] Arch questions

From: Paul Melson (pmelson_at_gmail.com)
Date: 08/12/05

  • Next message: Devdas Bhagat: "Re: [fw-wiz] Filtering proxy for HTTP POST requests"
    To: "'Mike LeBlanc'" <mlinfosec@comcast.net>, <firewall-wizards@honor.icsalabs.com>
    Date: Fri, 12 Aug 2005 10:35:46 -0400
    
    

    -----Original Message-----
    > Subject: [fw-wiz] Arch questions
    >
    > All,
    > I am currently planning a move (bring an oursourced hosting overseas to
    the US). The
    > basics are as follows
    >
    > inet rtr -->segment-->fw--->BIG IP--->IPS---->web
    >
    > The questions I have are:
    > 1/ Someone has recently mentioned the idea of using private adressing
    bewteen the inet > rtr and the firewall, with public adressing on the web.
    What are the pros and cons?

    Did that person mention the specific benefit of using RFC1918 addresses
    outside the firewall? Was that person wearing a Cisco shirt? :)

    Seriously, the pro is that it makes this network, at least in theory and
    common practice, unroutable to the wider Internet. Your firewall's external
    interface can't be easily portscanned, etc. The con is that you're
    hardening your network by breaking it. I don't see an advantage to doing
    this over using access-lists on the border router to prevent this same type
    of traffic. And the thing about access-lists is that you can create
    exceptions without having to readdress things or mess with routing. It's
    also easier to troubleshoot.

    > 2/ I was under the impression that we used NAT to "hide" the webserver for
    protection
    > (obsfucation) as well as the fw rules to protect it. Comments?

    NAT is *not* an access control mechanism.

    There are things you can do with it that break basic IP routing that create
    an additional layer of obscurity. (For instance, using port redirection
    instead of static NAT makes it less likely that an attacker that can bypass
    the firewall's rules can still route traffic to anything other than the
    services you've published.) Of course, that same obscurity can be a problem
    for you when it comes to troubleshooting. I'm starting to sense a theme
    here.

    I say stick to what you know and are comfortable with. That will probably
    be 'more secure' because of your understanding of the environment - the
    logical conclusion being that your understanding leads to accurate risk
    assessment and appropriate layering of access controls within the
    environment.

    > 3/ My research shows I need to have specfic certs (Apache and one other)
    for
    > *each* webserver behind the Big IP.
    > Anyone have any experience with F5 Big ip 1500s?

    It's my understanding that you can offload the SSL connections to the Big IP
    appliances. This gives you a number of advantages.

    First, you only need one SSL certificate per unique site hosted on the
    switch. This also makes adding servers to the site easier since they're not
    unique. (Of course, if they need to be uniquely authenticated via
    certificate, that's another story, but for
    "I've-encrypted-our-session-with-a-cert-signed-by-a-disinterested-and-ignora
    nt-public-CA-so-people-won't-sniff-your-credit-card" e-commerce, it's just
    fine. :)

    Second, you can place your IDS/IPS between the load balancer and the web
    servers and see all web app traffic without the encrypted 'blind spot.'

    Good luck with your move!

    PaulM

    PS - Can I trade consulting services for an upgrade to 6MB cable? :)

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Devdas Bhagat: "Re: [fw-wiz] Filtering proxy for HTTP POST requests"