Re: Inline firewalls vs. Inline firewalls "spaced out"
From: Devdas Bhagat (devdas@worldgatein.net)Date: 07/23/01
- Previous message: Ben Greenbaum: "Re: Using hashes, not text credentials...?"
- In reply to: Bartel, Matt: "Inline firewalls vs. Inline firewalls "spaced out""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Devdas Bhagat <devdas@worldgatein.net> To: "Bartel, Matt" <Matt.Bartel@qg.com>, "'security-basics@securityfocus.com'" <security-basics@securityfocus.com> Subject: Re: Inline firewalls vs. Inline firewalls "spaced out" Date: Mon, 23 Jul 2001 11:22:20 +0530 Message-Id: <01072311335203.28086@office.interoffice>
On Fri, 20 Jul 2001, Bartel, Matt spewed into the ether:
> Hello.
>
> After reviewing the long discussion on suggestions for the best way to
> network webservers, db servers and an internal network, I have a question:
>
> Many people suggested the following setup (perhaps with slight variations):
> Internet<->Firewall1<->Web DMZ<->Firewall2<->DB DMZ<->Firewall3<->Internal
> Network
>
> Why wouldn't you just do the following?:
> Internet<->Firewall1 from Vendor A<->Firewall2 from Vendor B<->Firewall3
> from Vendor C, just to be psycho<->Web DMZ, DB DMZ and Internal Network
Your webserver is directly exposed to the public. You don't want your
DB exposed directly to the public, but only accessible to your
web-server. You internal network should only be able to talk outwards,
not the world to the internal network.
These are the minimal design considerations from the security policy in
the first design.
Now, consider what happens if your webserver is compromised. In the
first case, the attacker has only restricted access to your database.
To get more valuable data, the attacker has now to compromise your
second firewall. and to actually attack your internnal network where
your most valuable data is, a third firewall has to be compromised.
In the second design, the webserver compromise allows full access to
the DB and the internal network. Not what we want. Your network is only
as strong as its weakest link, and if you put the weak spots close to
the strong ones, you weaken the strong ones as well.
> Most people stated the reason for using two FWs was in the hope that if one
> of the FWs is exploited that the other (or, the other two) will not fall
> prey to the same attack. This setup, with two FWs "inline" provides even
> greater security to your web boxes than the first design. Granted, it will
> slow your website since all requests must now run through two FWs (or
> three)...If security was this large of an issue, though, you would probably
> go for the much enhanced security over the added marginal delay, no?
No, the second design is flawed in that it creates an illusion of
security. A firewall protects everything behind it. You put in multiple
layers of protection between vulnerable services. In your second
design, port 80 is still open to the world, and if that is compromised,
you lose everything. In the first case, you lose a web server, but not
the database whereas in the second case, you are gambling everything on
port 80 being secure.
> You could, in this instance, let the webserver(s) and
> db server(s) talk freely, since you are screwed if someone gets back
> there anyway.
Thats the whole point. With properly designed multiple layers of
security, you can lose a sub-system of your network without major data
loss. You buy time to find and fix vulnerabilities in the first case,
in the second, you have no such luxury.
Devdas Bhagat
-- Just as I cannot remember any time when I could not read and write, I cannot remember any time when I did not exercise my imagination in daydreams about women. -- George Bernard Shaw
- Previous message: Ben Greenbaum: "Re: Using hashes, not text credentials...?"
- In reply to: Bartel, Matt: "Inline firewalls vs. Inline firewalls "spaced out""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
