Re: Basic Network Configuration

• Previous message: Stuart: "RE: windows update / patch release order"
• In reply to: David Gillett: "RE: Basic Network Configuration"
• Next in thread: David Gillett: "RE: Basic Network Configuration"
• Reply: David Gillett: "RE: Basic Network Configuration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 16 Oct 2003 12:25:27 +0200
To: security-basics@securityfocus.com

On 2003-10-15 David Gillett wrote:
> One implements a DMZ in order to impose three sets of
> firewall rules:
> - between the internet and the DMZ subnet
> - between the internet and the trusted subnet
> - between the DMZ subnet and the trusted subnet

IMHO the second rule is void, since no traffic should bypass the DMZ.

> If, instead, you use two boxes, your traffic between the internet and
> the trusted subnet incurs an extra router hop in each direction. Not
> a big deal, but performance purists tend to complain about firewall
> overheads already.
> Two firewalls will not necessarily cost more than one, if you can get
> away with SOHO models that only have two interfaces instead of
> industrial-strength boxes which typically support three or more.

I have to disagree on this. Two firewalls *will* cost more than one
because you will have to maintain (confguration, patches, ...) two
different systems. There is no point in implementing the same firewall
twice (with different rulesets) because in that case both systems will
most likely be vulnerable to the same exploits.

> The usual justification for using two firewalls is that an attacker
> would have to get past both to get into the trusted network. You only
> really achieve this benefit if the boxes run different OS and firewall
> code, so that no single vulnerability works against both.

Of course. Anything else is completely pointless.

> But if you use two boxes, then your rules that govern traffic between
> the internet and the trusted subnet may appear on either box -- are,
> in fact, the intersection of rules found on both boxes.

I don't see many reasons why traffic should bypass the DMZ - provided
you are already going to the trouble of implementing a 2-device setup.
OTOH I may be missing something here.

> Correctly managing such a split ruleset can be a challenge, even if
> both boxes use the same syntax and user interface -- which they won't,
> if they're distinct enough to cover against firewall vulnerabilities!

True. That's the price you have to pay.

Regards
Ansgar Wiechers

---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
----------------------------------------------------------------------------

• Previous message: Stuart: "RE: windows update / patch release order"
• In reply to: David Gillett: "RE: Basic Network Configuration"
• Next in thread: David Gillett: "RE: Basic Network Configuration"
• Reply: David Gillett: "RE: Basic Network Configuration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]