RE: Reverse Proxy on DMZ - 1 FW, 2 FW (disclaimer at end...)

["John Kozubik" <john_kozubik_dc () hotmail com>]

> Would you mind explaining this a little bit more? Are you talking 
> about
> multiple firewall behind each other or about the "seperate network" 
> case
> outlined below?

Although you could set this up many ways, I prefer a 'serial firewall' 
environment (for some situations like this).  It is quite annoying to do 
this with more than two firewalls though, because, as you mentioned, why 
should all packets from the deep end go through 3,4, even 5 stacks to 
get out.  It is not a huge deal in terms of performance if you are using 
small amounts of bandwidth to the outside world (10-50 meg/s) and is not 
even worth talking about if you are using a slow connection like a T1, 2 
T1's, etc.  However, most will agree that setting up routing internally 
to go through more than two firewalls is a bit annoying.  YMMV.

So that is what I was talking about in terms of multiple firewalls - in 
this case you have your DMZ between the router and FW #1 - do what you 
want with the DMZ, I guess.  Then you have a space between FW #1 and FW 
#2 which would be a good place to put dirty machines like www, etc., 
then you have everything behind FW #2 which is where you put the 
sensitive stuff.  This is a broad generalization.  It may not be 
suitable for your network.


> Hmmm... I don't see how my arguments would not hold in a scenario of
> multiple firewalls. My latest project was one in which we used >several
> firewall entities (from two to five, depends on one's definition) and 


That's the point - your arguments _do_ hold, which is why you put in 
multiple firewalls in some scenarios.  If your points were not valid, we 
could just throw everything behind one firewall.


> Sorry, but I have the strong tendency to seperate machines from each 
> other.
> Each of those machines reselbles a different risk: The Web server 
> might be
> broken because of some funny OS/Library/Web-Server interaction (1). 
> The mail
> server because of some buffer overflow. I can't put them on the same 
> network
> because I have to know if one behaves "different". If a chain breaks 
> at the
> weakest link, just don't use a chain. Right?


Right - here is the scenario I am describing - you have a serial 
firewall setup like I talked about above, and you just move the part 
between FW #1 and FW #2 to a completely different network.  Obviously if 
you are not comfortable putting them all together between FW1 and FW2, 
then you shouldn't be doing that in the first place.  What I am saying 
is that if you use a serial firewall setup - with 2, 3, 4, 5, 20 
firewalls, remember that you also have the opportunity to take any one 
of those segments and just move it to another building with another ISP 
and give it a single firewall for itself.  Presumably the machines 
quarantined in each of those segments can be safely placed together on 
one network, otherwise, what are they doing in the same segment in the 
first place?

I agree that we _should_ be seperating machines - I think we agree more 
than you think - because placing things on totally seperate networks 
like this is about as seperate as it gets.  Certainly if you are not 
comfortable having mail and www together in a segment, then you 
shouldn't put them together at a seperate location.  In some cases, you 
can be confident putting them together (or sometimes you have to) so 
this is just another alternative to placing in another serial firewall 
(or a dirty segment off of a third nic, whatever).

Disclaimer:

I think it is important to point out that the best security practice for 
a particular environment is not necessarily the accepted, published, 
agreed upon format.  It is conceivable that one could build a secure 
network without a firewall.  It is conceivable that one could securely 
place mail, www, and sensitive machines inside a single firewall.  Then 
again, it is conceivable that the best security for _your_ application 
is having 10 firewalls all in a line. Or maybe a few firewalls with 5 
NICs each.  Or maybe split those segments up into 20 new physical 
networks in different locations that do not even recognize each other.

Most likely the above is not the case.  Most likely you _do_ need a 
firewall, you do need to quarantine machines, and you don't have the 
resources to place 10 seperate networks in 10 different geographical 
locations on different networks.  In these cases you can learn a lot 
from the _accepted_ work in the field.  Just _don't forget_ that when I 
write this email, I have _no_ clue what your network is like and what it 
is doing.  When people respond to this email, they also have _no clue_.  
We can offer only broad generalizations and speculation.  

Please do not mistake these broad generalizations and wanderings to 
obscure eventualities to mean that I think these are the best practices, 
etc. _in general_ ...  I have done all of these things, and just like to 
throw out my experience as ideas - even when it conflicts with the 
'accepted' material, or how you run your network.  Make a security 
system that protects your network best - nothing less, and if that means 
doing things strangely, so be it - just post to the list when you do, 
because I _like_ to hear about new and strange ways of doing things - it 
increases my mental toolset.  If someone sets up a secure network 
_without_ a firewall, I WANT to hear about it, even though it conflicts 
with the books I read and the trade journals I subscribe to.  If someone 
knows a way to quarantine different blocks using serial firewalls, or 
some other method, I want to hear about it even though it is not 
something I would do on my network.

I didn't make up these ideas, I learned them the same way - someone 
talked about an obscure application they did that had no bearing 
whatsoever on my current projects, and went against the philosophy I was 
using on my network at the time.  Later, however, I found an assignment 
that called for these ideas, and was glad to have them.



kozubik - John Kozubik - john_kozubik () hotmail com
PGP DSS: 0EB8 4D07 D4D5 0C28 63FE  AD87 520F 57BE 850B E4C4


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com