Re: One Firewall with DMZ versus Two Firewalls

From: Berk S. Daemon (someone@somewhere.com)
Date: 05/17/02 

From: "Berk S. Daemon" <someone@somewhere.com>
Date: Fri, 17 May 2002 20:19:32 GMT

"Erik" <erik@geenspam.vanwesten.net> wrote in message
news:3ce43c22$0$31229$e4fe514c@dreader1.news.xs4all.nl...
> Michael Adams <michaeladams@no-spm.hotmail.com> wrote:
> > I am looking at the prices of Firewalls with DMZ ports, and most are
$1500+.
> > Ones without DMZ ports are about a third the cost.
>
> > Would I be just as well off from a security standpoint (or even better
off)
> > by using a router to feed two firewalls instead (one for the web server
and
> > one for the private network)?
>
> > I was thinking of a topology such as that below:
>
> > -- Firewall 1 -- Web Server
> > Internet -- Router
> > -- Firewall 2 -- Private Network
>
> > I was considering using using two Zyxel Zywalls, and an SMC router,
which
> > would cut the cost in half. Any feedback would be appreciated.
>
> Even better:
>
> Internet -- Router -- Firewall -- Leg 1 eg Web server
> -- Leg 2 eg DNS server
> -- Leg 3 Private network 1
> -- Leg 4 Private network 2
> In other words: there is very limited added value in using 2 firewalls
> where you use above setup.
>
> The good part: It can be free of charge. Use an old computer with Linux
> and shorewall (www.shorewall.net) or FreeBSD with ipfw or ipf, or
> OpenBSD with pf.
>
> With any of abovementioned products you can build firewalls at least
> equal in strength as Zyxel. Do _not_ run services on your firewall.
>
> KEEP UP WITH PATCHES on your webserver! Firewalls usually do NOT protect
> your servers from attacks on content.
>
> HTH,
>
> EJ
> --
> For OpenBSD pf en nat rule examples: http://www.vanwesten.net

Personally, I'd go with OpenBSD Transparent Bridging Firewall (ipless)
[still using public IPs on the DMZ] and a NAT Router/Firewall -
FreeBSD/OpenBSD behind the main bridging firewall and hence implementing a
true DMZ.

A NAT Router/Firewall combo with three NICs on the same box is more of a
pseudo-DMZ than a true DMZ. A bridging firewall with three NICs (one as the
DMZ) is more of a true DMZ, but still pseudo in some respects and not in
others.
Implementing a true DMZ would be with atleast two firewalls, having the DMZ
on it's own network.

Why spend on something commercial and expensive when you can get it for
free, and TCO is usually a lot cheaper/better!

www.openbsd.org

Relevant Pages

  • Re: Firewall Info/Recommendations?
    ... > firewall with 3 interfaces or "DMZ capability" listed. ... > acceptable DMZ architecture for a small network to have two firewalls ... > internal network to the internet... ... will do exactly what we currently want for maybe less than the cost of a ...
    (comp.security.firewalls)
  • Re: Firewall Info/Recommendations?
    ... > firewall with 3 interfaces or "DMZ capability" listed. ... > acceptable DMZ architecture for a small network to have two firewalls ... > internal network to the internet... ... will do exactly what we currently want for maybe less than the cost of a ...
    (comp.security.firewalls)
  • Re: One Firewall with DMZ versus Two Firewalls
    ... >> Ones without DMZ ports are about a third the cost. ... >> by using a router to feed two firewalls instead (one for the web server ... A NAT Router/Firewall combo with three NICs on the same box is more of a ... pseudo-DMZ than a true DMZ. ...
    (comp.security.firewalls)
  • Re: What to use for a Firewall device?
    ... still playing around with the monitoring settings to get it like I like it. ... I've seen the same thing, but we always setup a dedicated Exchange server in a DMZ, massive IP block lists, and we ... We have about 80 firewalls in service right now, we check the logs using automated scripts that alert us based on key indicators. ...
    (microsoft.public.windows.server.sbs)