Firewall Wizards mailing list archives
RE: Arch questions
From: "Paul Melson" <pmelson () gmail com>
Date: Fri, 12 Aug 2005 10:35:46 -0400
-----Original Message-----
Subject: [fw-wiz] Arch questions All, I am currently planning a move (bring an oursourced hosting overseas to
the US). The
basics are as follows inet rtr -->segment-->fw--->BIG IP--->IPS---->web The questions I have are: 1/ Someone has recently mentioned the idea of using private adressing
bewteen the inet > rtr and the firewall, with public adressing on the web. What are the pros and cons? Did that person mention the specific benefit of using RFC1918 addresses outside the firewall? Was that person wearing a Cisco shirt? :) Seriously, the pro is that it makes this network, at least in theory and common practice, unroutable to the wider Internet. Your firewall's external interface can't be easily portscanned, etc. The con is that you're hardening your network by breaking it. I don't see an advantage to doing this over using access-lists on the border router to prevent this same type of traffic. And the thing about access-lists is that you can create exceptions without having to readdress things or mess with routing. It's also easier to troubleshoot.
2/ I was under the impression that we used NAT to "hide" the webserver for
protection
(obsfucation) as well as the fw rules to protect it. Comments?
NAT is *not* an access control mechanism. There are things you can do with it that break basic IP routing that create an additional layer of obscurity. (For instance, using port redirection instead of static NAT makes it less likely that an attacker that can bypass the firewall's rules can still route traffic to anything other than the services you've published.) Of course, that same obscurity can be a problem for you when it comes to troubleshooting. I'm starting to sense a theme here. I say stick to what you know and are comfortable with. That will probably be 'more secure' because of your understanding of the environment - the logical conclusion being that your understanding leads to accurate risk assessment and appropriate layering of access controls within the environment.
3/ My research shows I need to have specfic certs (Apache and one other)
for
*each* webserver behind the Big IP. Anyone have any experience with F5 Big ip 1500s?
It's my understanding that you can offload the SSL connections to the Big IP appliances. This gives you a number of advantages. First, you only need one SSL certificate per unique site hosted on the switch. This also makes adding servers to the site easier since they're not unique. (Of course, if they need to be uniquely authenticated via certificate, that's another story, but for "I've-encrypted-our-session-with-a-cert-signed-by-a-disinterested-and-ignora nt-public-CA-so-people-won't-sniff-your-credit-card" e-commerce, it's just fine. :) Second, you can place your IDS/IPS between the load balancer and the web servers and see all web app traffic without the encrypted 'blind spot.' Good luck with your move! PaulM PS - Can I trade consulting services for an upgrade to 6MB cable? :) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Arch questions Mike LeBlanc (Aug 12)
- RE: Arch questions Paul Melson (Aug 12)
- <Possible follow-ups>
- RE: Arch questions Warrington Bruce - bwarri (Aug 26)