Firewall Wizards mailing list archives
Re: RE: firewall-wizards digest, Vol 1 #679 - 2 msgs
From: "Paul D. Robertson" <proberts () patriot net>
Date: Mon, 16 Sep 2002 06:15:35 -0400 (EDT)
On Mon, 16 Sep 2002, Larry Wilson wrote:
The options mentioned so far are quite valid dependent of functionality of the firewalls and a firewall that can be managed with central policies would accomplish this readily. However, there is also another option that can be considered. This is using a single DMZ (simple firewall) for the servers with a centrally managed, policy driven crypto VPN solution that is a host
Actually, VPNs were mentioned in my first reply...
to host VPN engine. This would allow a set of rules to be set up to determine what can talk to what, based on IP, subnet or range and is easily reconfigurable. Therefore, if there is a VPN rule that defines host A can talk to host B & C, then that is all that *can* happen. Not even a ping will work from anywhere else. There is also a good audit capability as well, if needed.
The issue with VPNs is the same as with host-based filtering and routing/ARP solutions- they require the host to maintain its integrity (and in a network where non-VPN traffic is probably the norm, the require *all* the hosts sharing layer 2 to maintain their integrity.) Given that the hosts in question seem to need to talk to the rest of the Internet (most likely without authentication, or with very weak authentication), the utility of any encryption-based solution is fairly low. You're forced to break the encryption boundary for most of the traffic. That means that an attacker who gains administrator can simply disable the VPN software (or spoof L2 traffic from the router.) Given that the boxes are likely to be similarly configured servers, a bug in one is going to be a bug in all. Also, the systems are going to take a potentially significant performance hit inspecting each packet to determine if it should come from a VPN tunnel (probably only an issue if they're high traffic sites,) or encrypting/decrypting if there's significant transactional traffic between servers. If you're going on the premise that you'll stop automated worms, then you can do about the same thing with static ARP entries, which should be significantly less expensive (in terms of performance.) Though you could probably get better granularity out of either a VPN or "personal firewall" product. The advantage of a personal firewall product over a VPN is that you don't have to take the encryption/decryption hit on transactional server<-> server traffic. None of these solutions inhibit layer 2 attacks in any way, which is why physical seperation wins. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: firewall-wizards digest, Vol 1 #679 - 2 msgs Larry Wilson (Sep 16)
- Re: RE: firewall-wizards digest, Vol 1 #679 - 2 msgs Paul D. Robertson (Sep 16)