Re: placement of AG vs SPF

["Rodney van den Oever" <roever () nse simac nl>]

> Lets suppose we have the following sort of network compartmentalization:
>
>                                                                    /- net 1
> Internet   ---  Firewall   --- (inter-firewall segment) --- Firewall - net
> 2...
>                 / | \                   |                          \- net N
>                DMZ services     Bastion services

Even with a single firewall I would always include packet filtering external and internal routers:

o External router to protect DMZ-hosts unprotected by the firewall.
o Internal router to prevent unauthorized traffic between firewall and internal nets.

> Lets say you are a belts-and-suspenders sort of guy, and believe that two
> separate firewall technologies should be used, so you decide that one
> firewall will be a "mostly application gateway" firewall (sometimes called
> a proxy... :) ) and the other will be a "mostly stateful packet filter"
> firewall.  If the specific product matters, lets say one is going to be
> Gauntlet, and the other Checkpoint's FW1.
>
> Which would you put on the outside as the screening firewall, and which on
> the inside as the internal firewall, and why?  Does the specific product
> matter, or is the reasoning based upon AG vs SPF?

External Router - SPF - AG - Internal Router - Internal Client

o SPF seems good to selectively filter UDP (e.g. DNS-lookups), prevent DoS-attacks, but doesn't protect internal 
clients as well as the AG can.

o SPF can be faster than the AG, so this will give you better performance for your external clients (in case you have a 
T3).

o AG better isolates your internal clients and your database-servers.

o If you want to update the webservers with internal data, it has to go to the AG which might only allow an update in 
one direction (only TO the webservers).

--
Rodney van den Oever / 0x06 3547CA1/ PGP Key ID 0x0A6CCE53
'MCSE = Must Consult Someone Experienced' - Vincent Janelle