Security Basics mailing list archives
Re: Defense in Depth
From: Javier Blanque <javier () blanque com ar>
Date: Fri, 29 Oct 2004 18:48:30 -0300
I could add something to what Kennet said...The firewalls are effective barriers if you put one at the border of the DMZ and one at the border of the internal network. Not better than one (thinking about security) if you put the two side by side. The external firewall restricts access to the DMZ to as few ports and ethernet addresses as possible (given functional limits dictated by your requirements). The internal firewall restricts access to the internal network and -if required- services (DBMS, etc). The internal firewall assures you that the packets that need to see these required services are only from the authorized IP addresses inside the DMZ. Of course it depends on your needs, but as Kennet says, generally this is the schema used. I could add that security is like an onion, several concentric layers, with multiple devices, better than one, for security -not for administration or cost- if there are heterogeneous technologies and several vendors included, better. For example, if your external firewall is a Cisco PIX, then your internal could be a Firewall-1, better than another Cisco Pix. If you have no money: If your external box is BSD with pf, then your internal firewall could be a gnu/linux box with iptables. If your work is about security, never take for granted the security of any device or software, and try to reduce the bottlenecks and isolated points of failure. If you have only a firewall and it is cracked, then the security of your DMZ and of your internal network is compromised (which is a lot worst). When a vulnerability appears on one of your firewalls, the existence of the other allows you the time needed to patch it (and peace of mind). If the vuln is at the external FW, your risk time window is only for the DMZ.
Best regards, Javier Blanque El 27/10/2004, a las 13:27, Kenneth R Swain II escribió:
Let me see if I can clear something up. ---------- | | | | Internet facing firewall --------- DMZ ---------- | | | | Internal firewall ---------
Current thread:
- Re: Defense in Depth Daniel Miessler (Nov 01)
- <Possible follow-ups>
- RE: Defense in Depth Randy Golly (Nov 01)
- Re: Defense in Depth Naren (Nov 01)
- Re: Defense in Depth Ghaith Nasrawi (Nov 03)
- Re: Defense in Depth Javier Blanque (Nov 01)
- Re: Defense in Depth Spencer Hall (Nov 02)
- Re: Defense in Depth Miles Stevenson (Nov 02)
- Re: Defense in Depth sf_mail_sbm (Nov 03)
- RE: Defense in Depth Randy Golly (Nov 04)
- RE: Defense in Depth Ghaith Nasrawi (Nov 08)