RE: Firewall and DMZ topology

[John Brightwell <brightwell_151 () yahoo co uk>]

I agree that in many cases a tri-homed system is
'adequately secure' however, I think that a dual
firewall implemetation can provide a greater measure
of security.

They may be more prone to failure than a single
firewall - in that the same rule has to be applied to
two different firewalls (and different operating
systems) which increases the chance that a typo will
cause a problem. But if it does fail then it's likely
to fail-safe. i.e the new rule will allow traffic
through one firewall but the errored firewall will
block it.

This is one reason why a dual firewall solution is
more secure - it's very easy, on a single firewall to
mistype an IP address, netmask or port number (or get
the source and target mixed up) - but making the same
mistake twice on two different firewalls is more
unlikely.

With a two firewall solution you can have different
administrators for each firewall (if you have
sufficient resources) so that any change requires two
separate brains to be involved. It also stops a single
admin being able to open ports in the perimeter
security for their own purposes.

There's also a slight increase in security through
having two firewalls (if they are a different make or
base OS) because an exploit on one may not be
exploitable on the other...

Having said all that I've installed single,
multi-homed firewalls plenty of times for the cost and
convenience. It depends what you're protecting

Previous message ....
I'm comming into this discussion a little late, and
have browsed through
most of the thread and agree with most of the
statements made.  Through out
my experience in the security field and a vast study
of firewalls and dmz's
i have come to the conclusion that a tri-homed system
(utilizing nat) in the
long run is the easiest and cheapest way to go, and i
do believe that it is
as secure as a two firewall system approach due to the
fact of human
failure. Meaning having two firewalls with two
different rule sets on two
diffrent systems will open up a greater risk of human
failure within the
managing of the systems. 


Brandon



__________________________________________________
Yahoo! Plus - For a better Internet experience
http://uk.promotions.yahoo.com/yplus/yoffer.html

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------