Re: Basic Network Configuration

["Anders Reed-Mohn" <anders_rm () utepils com>]

> Okay I know this is truly a basic question, but this is after all the
"security-BASICS" list!

Well, that's what it's here for.
However, it is a good idea to search list archives before posting.
You will find the answer to your question if you google a bit .. looking for
the archives
of the SANS Intrusions list, as well as security related newsgroups
articles. Also,
check the archive for this list, though I haven't searched it for this
particular question myself.
I am pretty sure you'll find it.

Anyway.. to the question:

> It seems like using the firewall to do this makes sense, but I'd appreciate
some external confirmation
> on that.

It makes a lot of sense. But then, so does the dual-firewall solution. There
are no major drawbacks to
any of the two, so generallt it boils down to a matter if your taste.

How do dual firewalls increase security?
1. an attacker that aims for the DMZ alone, and not the internal network,
will hopefully
only crack the first firewall, and leave the second alone. Or, more
realistically, he will leave
it alone long enough for you to detect there is a problem, and engage some
countermeasure.
This is NOT really any increase in security (note the word "hopefully"
above..), more a
flavour of "security by obscurity", as the stuff you really want to protect
is on your internal
network, not in the DMZ.

2. Only if the two firewalls are of different types/makes will security be
enhanced. If the two
firewalls can be broken in the same way, and just as easily, then there is
no real purpose in the
second wall.

Why the 3-NIC model?
Well, since most companies will employ dual firewalls of the same type, you
can just as well simplify
your design, and have only one box to maintain. This gives you the same
security, but with the added
benefit of a simpler config (only one ruleset to maintain) and lower
HW-cost. Also, there are fewer pieces of HW, and thus less parts that can
fail. Ease of maintenance is imperative in security.
The downside is that if something breaks, say some HW needs replacement, you
will be cutting
off the network link for both DMZ and internal while changing parts. In the
dual-FW setting, you
can take the internal network off line, but still provide the DMZ services
to external networks.

> It seems to me that anything that requires access from outside the network
(Ex. DNS servers, Mail
> servers, demo servers, etc.) should go in the DMZ.  True?

In theory, yes. And this is the goal you should aim for.
But I guarantee it's not always that simple in practice.

cheers,
Anders :)


---------------------------------------------------------------------------
----------------------------------------------------------------------------