RE: Firewall and DMZ topology

From: Mann, Bobby (bmann_at_forzani.com)
Date: 06/11/03

  • Next message: David M. Fetter: "Re: Public IP information"
    To: "'Depp, Dennis M. '" <deppdm@ornl.gov>, "'Daniel B. Cid '" <danielcid@yahoo.com.br>, "'security-basics@securityfocus.com '" <security-basics@securityfocus.com>
    Date: Wed, 11 Jun 2003 11:00:41 -0600
    
    

    Intrusion detection is great if you have the structure, policies and
    procedures to make use of them.

    I've seen many companies that have intrusion detection but never really
    analyze what it's telling you. Most of time because they don't have the
    expertise to know what their looking at. Not even that, some administrators
    are just not pro-active enough to keep the signatures up to date or don't
    have the skills to program new signatures themselves to protect against
    flash attacks.

    Host based IDS which analyzes behavior not just signatures is cool though.
    Check this out, please let me know of any other products that do the same.

    http://www.cisco.com/en/US/products/sw/secursw/ps5057/index.html

    http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_data_sheet091
    86a0080144669.html

    Bob.

    -----Original Message-----
    From: Depp, Dennis M.
    To: Daniel B. Cid; security-basics@securityfocus.com
    Sent: 6/10/03 6:20 PM
    Subject: RE: Firewall and DMZ topology

    You are ignoring any intusion detection that should alert you to
    nefarious activity inside your DMZ. This same traffic on the outside of
    your firewall may not give concern or alarm, but when it is hitting the
    outside interface of your DMZ, alarms should be ringing continuously.

    I do believe if they will be able to break into your second firewall.
    The question is will your intrusion detection system alert you they are
    breaking in? If so, you can take action to minize the damage. This is
    why a two firewall system is more secure.

    Denis

    -----Original Message-----
    From: Daniel B. Cid [mailto:danielcid@yahoo.com.br]
    Sent: Tuesday, June 10, 2003 4:38 PM
    To: security-basics@securityfocus.com

    Is not that the problem. For example, if you use Linux as your firewall,
    and if someone break your first firewall, in most of the cases this
    person will be able to break the second too.
    why ?
    Because in both firewalls you will not run a webserver or a mail server,
    but only administrative stuffs, like sshd , telnetd (sux), snmp (bleh)
    or other similar. And generally the administrators use the same remote
    access program in all firewalls ( and the same password!!) and in all
    servers... this is the big problem...
    If some security problem appears in some version of the cisco firewall,
    and if you use this version in aLL your firewalls... someone will me
    able to break all firewalls very easy ...

    []`s

    Daniel B. Cid

    >On Tue, 2003-06-10 at 16:11, Depp, Dennis M. wrote:
    > First in order to increase security Firewall1 should not be the same
    >as Firewall2. Even if they are the same, rules will be different on
    >each of the firewall. Different rules means different
    vulnerabilities.
    > Finally Intrusion detection should be more sensative on the inside of

    >the outer firewall. This enhanced sensativity should alert you that
    >someone is attempting to compromize the inner firewall.
    >
    > Dennis
    >
    > PS I seriously doubt if two firewalls have the same configuration if
    > one is an internal and one is an external firewall. For example, on
    > the external firewall I will allow HTTP request to various Web servers

    > in the DMZ. The internal firewall should not allow any internet user
    > to access a web server.
    >
    >
    >
    > >
    > > -----Original Message-----
    > > From: Daniel B. Cid [mailto:danielcid@yahoo.com.br]
    > > Sent: Tuesday, June 10, 2003 2:47 PM
    > > To: Zach Crowell
    > > Cc: security-basics@securityfocus.com
    > >
    > > I think similar to you. In most companies all the firewalls are the
    > > same(same OS, same version and same configuration).. If someone is
    > > able to crack the firewall 1, will be able to crack the firewall 2
    > > and 3 ..
    > >
    > > []`s
    > >
    > > Daniel B. Cid
    > >
    > > >On Tue, 2003-06-10 at 13:41, Zach Crowell wrote:
    > > >
    > > >
    > > > Erik Vincent wrote:
    > > > > I think there is a major difference between:
    > > > >
    > > > > 1: internet --> Outer Firewall --> DMZ -->
    Inner
    > > > > Firewall --> LAN
    > > > > If your Outer Firewall is
    > > crack, only the DMZ
    > > > > computer will be unprotected
    > > > > but the LAN portion still protected.
    > > >
    > > > Under what conditions would these firewalls be configured any
    > > > differently from a vulnerability-assessment view point? i.e., if
    > > > someone was able to crack the outer firewall, is it not likely
    > > > they would crack the inner firewall as well?
    > > >
    > > > Zach
    > > >
    > > >
    > > >
    > > --------------------------------------------------------------
    > > -------------
    > > > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by
    > > top analysts!
    > > > The Gartner Group just put Neoteris in the top of its Magic
    > > Quadrant,
    > > > while InStat has confirmed Neoteris as the leader in marketshare.
    > > >
    > > > Find out why, and see how you can get plug-n-play secure
    > > remote access in
    > > > about an hour, with no client, server changes, or ongoing
    > > maintenance.
    > > >
    > > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    > > >
    > > --------------------------------------------------------------
    > > --------------
    > >
    > >
    > >
    > >
    > > --------------------------------------------------------------
    > > -------------
    > > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
    > > analysts!
    > > The Gartner Group just put Neoteris in the top of its Magic
    > > Quadrant, while InStat has confirmed Neoteris as the leader in
    marketshare.
    > >
    > > Find out why, and see how you can get plug-n-play secure remote
    > > access in about an hour, with no client, server changes, or ongoing
    > > maintenance.
    > >
    > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    > > --------------------------------------------------------------
    > > --------------
    > >
    > >
    > >

    ------------------------------------------------------------------------

    ---
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
    analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access
    in about an hour, with no client, server changes, or ongoing
    maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ------------------------------------------------------------------------
    ----
    ------------------------------------------------------------------------
    ---
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
    analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access
    in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------
    

  • Next message: David M. Fetter: "Re: Public IP information"