RE: [fw-wiz] Arch questions

From: Paul Melson (pmelson_at_gmail.com)
Date: 08/12/05

  • Next message: Devdas Bhagat: "Re: [fw-wiz] Filtering proxy for HTTP POST requests"
    To: "'Mike LeBlanc'" <mlinfosec@comcast.net>, <firewall-wizards@honor.icsalabs.com>
    Date: Fri, 12 Aug 2005 10:35:46 -0400
    
    

    -----Original Message-----
    > Subject: [fw-wiz] Arch questions
    >
    > All,
    > I am currently planning a move (bring an oursourced hosting overseas to
    the US). The
    > basics are as follows
    >
    > inet rtr -->segment-->fw--->BIG IP--->IPS---->web
    >
    > The questions I have are:
    > 1/ Someone has recently mentioned the idea of using private adressing
    bewteen the inet > rtr and the firewall, with public adressing on the web.
    What are the pros and cons?

    Did that person mention the specific benefit of using RFC1918 addresses
    outside the firewall? Was that person wearing a Cisco shirt? :)

    Seriously, the pro is that it makes this network, at least in theory and
    common practice, unroutable to the wider Internet. Your firewall's external
    interface can't be easily portscanned, etc. The con is that you're
    hardening your network by breaking it. I don't see an advantage to doing
    this over using access-lists on the border router to prevent this same type
    of traffic. And the thing about access-lists is that you can create
    exceptions without having to readdress things or mess with routing. It's
    also easier to troubleshoot.

    > 2/ I was under the impression that we used NAT to "hide" the webserver for
    protection
    > (obsfucation) as well as the fw rules to protect it. Comments?

    NAT is *not* an access control mechanism.

    There are things you can do with it that break basic IP routing that create
    an additional layer of obscurity. (For instance, using port redirection
    instead of static NAT makes it less likely that an attacker that can bypass
    the firewall's rules can still route traffic to anything other than the
    services you've published.) Of course, that same obscurity can be a problem
    for you when it comes to troubleshooting. I'm starting to sense a theme
    here.

    I say stick to what you know and are comfortable with. That will probably
    be 'more secure' because of your understanding of the environment - the
    logical conclusion being that your understanding leads to accurate risk
    assessment and appropriate layering of access controls within the
    environment.

    > 3/ My research shows I need to have specfic certs (Apache and one other)
    for
    > *each* webserver behind the Big IP.
    > Anyone have any experience with F5 Big ip 1500s?

    It's my understanding that you can offload the SSL connections to the Big IP
    appliances. This gives you a number of advantages.

    First, you only need one SSL certificate per unique site hosted on the
    switch. This also makes adding servers to the site easier since they're not
    unique. (Of course, if they need to be uniquely authenticated via
    certificate, that's another story, but for
    "I've-encrypted-our-session-with-a-cert-signed-by-a-disinterested-and-ignora
    nt-public-CA-so-people-won't-sniff-your-credit-card" e-commerce, it's just
    fine. :)

    Second, you can place your IDS/IPS between the load balancer and the web
    servers and see all web app traffic without the encrypted 'blind spot.'

    Good luck with your move!

    PaulM

    PS - Can I trade consulting services for an upgrade to 6MB cable? :)

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Devdas Bhagat: "Re: [fw-wiz] Filtering proxy for HTTP POST requests"

    Relevant Pages

    • Re: Your Five Favorite Composers
      ... Since you can't read music and you have no understanding of musical ... You don't even know the basics but your comments are dripping with ... find that alone reason to "aim a spear". ... is condemn somebody you don't like. ...
      (rec.music.classical.recordings)
    • Re: Your Five Favorite Composers
      ... Since you can't read music and you have no understanding of musical ... You don't even know the basics but your comments are dripping with ... find that alone reason to "aim a spear". ... condemn somebody you don't like. ...
      (rec.music.classical.recordings)
    • Re: Networking over mains cables
      ... there is a huge gap between understanding the ... firewall somewhere the URL of every site that you may want ... By the time the police trace the IP address ... through filer windows. ...
      (comp.sys.acorn.networking)
    • Re: Advanced Sculling Technique
      ... basics, basics is what they work on. ... To coach most effectively, it must help to have the clearest possible understanding of what it is that you mean to inculcate into the student & why. ... I'm pleased if that comes as an acceptance that we always need to better understand the underlying science to improve the execution of what is a deceptively simple but fundamentally complex series of mind/body/hardware/water interactions. ...
      (rec.sport.rowing)
    • Re: Is it possible for someone to access my HD even though I am running a firewall?
      ... > Is there any possibility that my security has been compromised? ... A "personal" firewall is only as strong as the person that set it up. ... protection. ... understanding what they are doing. ...
      (comp.security.firewalls)