RE: second-tier firewall replacement

["Boaz Shunami" <BoazS () comsecglobal com>]

Hi Eric,

Segmenting your network and DMZ using different legs of the same
firewall should be fine as means of segmentation to coincide with
leading industry auditors requirements such as PCI.

Best Regards,

Boaz Shunami, QSA

Comsec Consulting

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Eric Ong
Sent: Sunday, September 14, 2008 7:39 PM
To: gillettdavid () fhda edu
Cc: security-basics
Subject: Re: second-tier firewall replacement

Thanks a lot for your valuable comments.

I have more questions about my 2-tier firewall selection.

Since my network doesn't have any segmentation, that is ONLY one
sub-net. my second-tier firewall is worked as a transparent mode
firewall. I know that the LAN segmentation is important for both
performance and security point of view. However, due to the limitation
of the too many server/application/.. , it cannot implement the LAN
segmentation now.

If I purchased a four-leg firewall, and use the "four-leg firewall" as
transparent firewall to separate the network into the four ZONE. Will
you think that idea is okay or not ?

Also, nowadays, the new network should be able to support 1000Mbps. Do
i need to purchase a 10/100 Mbps firewall or 10/100/1000 Mbps
firewall?

Thanks

Eric

On Thu, Sep 11, 2008 at 6:41 AM, David Gillett <gillettdavid () fhda edu>
wrote:
>  Your auditor is correct.  One of the reasons for choosing a
> 2-tier configuration instead of a 3-legged configuration is
> so that an attacker should not have a single exploit that
> gets him all the way into the trusted network zone.  Even
> though the policies at the two tiers should be different,
> using the same vendor opens you to the risk that an exploit
> might be discovered which bypasses the rulesets of both
> boxes.
>
>  Since your outer tier firewall is exposed to the semi-random
> "noise" of the Internet, performance may be an issue, and so
> SPI -- Stateful Packet Inspection -- delivers good value for
> the money.  Ideally, the second tier should not just be a
> different brand but take a different approach:  a proxying
> "application" firewall.  These tend to be more resource
> intensive (bad choice for first tier) but can also detect
> things that would sail right past an SPI firewall.
>  I'm not sure exactly why you have an auditor looking at
> your configuration, but the PCI DSS rules specify an
> "application firewall", and a good argument can be made that
> a proxy qualifies and an SPI firewall does not.
>
>  From what I've looked at closely, Blue Coat is my personal
> favourite, but others may have their own recommendations.
>
> David Gillett
>
>
> > -----Original Message-----
> > From: Eric Ong [mailto:eric.ccong () gmail com]
> > Sent: Wednesday, September 10, 2008 9:06 AM
> > To: security-basics
> > Subject: second-tier firewall replacement
> >
> > Hi all,
> >
> > I need to implement a second-tier firewall replacement
> > project under the 2-tier firewall configuration
> >
> > Below is our current 2-tier firewall configuration:
> > ISP (internet) --> External Firewall/First-Tier Firewall
> > (Juniper Netscreen 25) --> DMZ --> Internal
> > Firewall/Second-Tier Firewall(SunScreen Firewall) --> Internal
Network
> > I have the problem that I don't know why is the critical i
> > need to select the second-tier firewall.
> > Since I know that the SunScreen Firewall is not famous now,
> > so I want to replace the SunScreen Firewall with a new one.
> > Frankly, I want to replace the SunScreen by the Juniper Netscreen.
> > However, my auditor said that this is not a good ideas for
> > both External Firewall and Internal Firewall use the same
> > brand product.
> >
> > Any recommendations for me??
> >
> > Thanks in advance.
> >
> > Eric
**********************************************************************************************
IMPORTANT: The contents of this email and any attachments are confidential. They are intended for the 
named recipient(s) only.
If you have received this email in error, please notify the system manager or the sender immediately and do 
not disclose the contents to anyone or make copies thereof.
*** eSafe scanned this email for viruses, vandals, and malicious content. ***
**********************************************************************************************