RE: Basic Network Configuration

• Previous message: Erik Mintz: "Re: dhcp / mac address"
• In reply to: Ansgar -59cobalt- Wiechers: "Re: Basic Network Configuration"
• Next in thread: 'Ansgar -59cobalt- Wiechers': "Re: Basic Network Configuration"
• Reply: 'Ansgar -59cobalt- Wiechers': "Re: Basic Network Configuration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Ansgar -59cobalt- Wiechers'" <bugtraq@planetcobalt.net>, <security-basics@securityfocus.com>
Date: Thu, 16 Oct 2003 11:41:00 -0700

> -----Original Message-----
> From: Ansgar -59cobalt- Wiechers [mailto:bugtraq@planetcobalt.net]
> Sent: October 16, 2003 03:25
> To: security-basics@securityfocus.com
> Subject: Re: Basic Network Configuration
>
>
> On 2003-10-15 David Gillett wrote:
> > One implements a DMZ in order to impose three sets of
> > firewall rules:
> > - between the internet and the DMZ subnet
> > - between the internet and the trusted subnet
> > - between the DMZ subnet and the trusted subnet
>
> IMHO the second rule is void, since no traffic should bypass the DMZ.

a) WHY??? So a compromised DMZ host can sniff it?

b) Voiding the second rule means totally trusting all traffic
that originates from your internal network. In 1993, you could
usually get away with that. In 2003, you CAN'T. You MUST
filter that traffic; whether you do it in one place or two, you
still have that second rule.
 
> > If, instead, you use two boxes, your traffic between the
> internet and
> > the trusted subnet incurs an extra router hop in each
> direction. Not
> > a big deal, but performance purists tend to complain about firewall
> > overheads already.
> > Two firewalls will not necessarily cost more than one, if
> you can get
> > away with SOHO models that only have two interfaces instead of
> > industrial-strength boxes which typically support three or more.
>
> I have to disagree on this. Two firewalls *will* cost more than one
> because you will have to maintain (confguration, patches, ...) two
> different systems. There is no point in implementing the same firewall
> twice (with different rulesets) because in that case both systems will
> most likely be vulnerable to the same exploits.

  You're not disagreeing AT ALL, unless you consider deployment of
cheap SOHO firewall appliances acceptable for a site that hosts services
in a DMZ. You don't, do you?
 
> > The usual justification for using two firewalls is that an attacker
> > would have to get past both to get into the trusted
> network. You only
> > really achieve this benefit if the boxes run different OS
> and firewall
> > code, so that no single vulnerability works against both.
>
> Of course. Anything else is completely pointless.
>
> > But if you use two boxes, then your rules that govern
> traffic between
> > the internet and the trusted subnet may appear on either box -- are,
> > in fact, the intersection of rules found on both boxes.
>
> I don't see many reasons why traffic should bypass the DMZ - provided
> you are already going to the trouble of implementing a 2-device setup.
> OTOH I may be missing something here.

  Read twice, answer once. In the two-box case, internal<->internet
traffic DOESN'T bypass the DMZ. I consider that a problem, you don't.
  But my point here is that in the two-box case, that traffic has to
cross both boxes -- and gets filtered by rules on BOTH boxes. This
isn't just inefficient, it's also hard to manage.
 
> > Correctly managing such a split ruleset can be a challenge, even if
> > both boxes use the same syntax and user interface -- which
> they won't,
> > if they're distinct enough to cover against firewall
> vulnerabilities!
>
> True. That's the price you have to pay.
>
> Regards
> Ansgar Wiechers
>
> --------------------------------------------------------------
> -------------
> FREE Whitepaper: Better Management for Network Security
>
> Looking for a better way to manage your IP security?
> Learn how Solsoft can help you:
> - Ensure robust IP security through policy-based management
> - Make firewall, VPN, and NAT rules interoperable across heterogeneous
> networks
> - Quickly respond to network events from a central console
>
> Download our FREE whitepaper at:
> http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
> --------------------------------------------------------------
> --------------
>

---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
----------------------------------------------------------------------------

• Previous message: Erik Mintz: "Re: dhcp / mac address"
• In reply to: Ansgar -59cobalt- Wiechers: "Re: Basic Network Configuration"
• Next in thread: 'Ansgar -59cobalt- Wiechers': "Re: Basic Network Configuration"
• Reply: 'Ansgar -59cobalt- Wiechers': "Re: Basic Network Configuration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]