Re: RE: firewall-wizards digest, Vol 1 #679 - 2 msgs

["Paul D. Robertson" <proberts () patriot net>]

On Mon, 16 Sep 2002, Larry Wilson wrote:

> The options mentioned so far are quite valid dependent of functionality of
> the firewalls and a firewall that can be managed with central policies would
> accomplish this readily. However, there is also another option that can be
> considered. This is using a single DMZ (simple firewall) for the servers
> with a centrally managed, policy driven crypto VPN solution that is a host

Actually, VPNs were mentioned in my first reply...

> to host VPN engine. This would allow a set of rules to be set up to
> determine what can talk to what, based on IP, subnet or range and is easily
> reconfigurable. Therefore, if there is a VPN rule that defines host A can
> talk to host B & C, then that is all that *can* happen. Not even a ping will
> work from anywhere else. There is also a good audit capability as well, if
> needed.

The issue with VPNs is the same as with host-based filtering and 
routing/ARP solutions- they require the host to maintain its integrity 
(and in a network where non-VPN traffic is probably the norm, the require 
*all* the hosts sharing layer 2 to maintain their integrity.)

Given that the hosts in question seem to need to talk to the rest of the 
Internet (most likely without authentication, or with very weak 
authentication), the utility of any encryption-based solution is 
fairly low.  You're forced to break the encryption boundary for most of 
the traffic.  That means that an attacker who gains administrator can 
simply disable the VPN software (or spoof L2 traffic from the router.)    

Given that the boxes are likely to be similarly configured servers, a bug 
in one is going to be a bug in all.  Also, the systems are going to take a 
potentially significant performance hit inspecting each packet to 
determine if it should come from a VPN tunnel (probably only an issue if 
they're high traffic sites,) or encrypting/decrypting if there's 
significant transactional traffic between servers.

If you're going on the premise that you'll stop automated worms, then you 
can do about the same thing with static ARP entries, which should be 
significantly less expensive (in terms of performance.)  Though you could 
probably get better granularity out of either a VPN or "personal firewall" 
product.  The advantage of a personal firewall product over a VPN is that 
you don't have to take the encryption/decryption hit on transactional 
server<-> server traffic.

None of these solutions inhibit layer 2 attacks in any way, which is why 
physical seperation wins.  

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards