Security Basics mailing list archives
RE: Basic Network Configuration
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 16 Oct 2003 11:41:00 -0700
-----Original Message----- From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net] Sent: October 16, 2003 03:25 To: security-basics () securityfocus com Subject: Re: Basic Network Configuration On 2003-10-15 David Gillett wrote:One implements a DMZ in order to impose three sets of firewall rules: - between the internet and the DMZ subnet - between the internet and the trusted subnet - between the DMZ subnet and the trusted subnetIMHO the second rule is void, since no traffic should bypass the DMZ.
a) WHY??? So a compromised DMZ host can sniff it? b) Voiding the second rule means totally trusting all traffic that originates from your internal network. In 1993, you could usually get away with that. In 2003, you CAN'T. You MUST filter that traffic; whether you do it in one place or two, you still have that second rule.
If, instead, you use two boxes, your traffic between theinternet andthe trusted subnet incurs an extra router hop in eachdirection. Nota big deal, but performance purists tend to complain about firewall overheads already. Two firewalls will not necessarily cost more than one, ifyou can getaway with SOHO models that only have two interfaces instead of industrial-strength boxes which typically support three or more.I have to disagree on this. Two firewalls *will* cost more than one because you will have to maintain (confguration, patches, ...) two different systems. There is no point in implementing the same firewall twice (with different rulesets) because in that case both systems will most likely be vulnerable to the same exploits.
You're not disagreeing AT ALL, unless you consider deployment of cheap SOHO firewall appliances acceptable for a site that hosts services in a DMZ. You don't, do you?
The usual justification for using two firewalls is that an attacker would have to get past both to get into the trustednetwork. You onlyreally achieve this benefit if the boxes run different OSand firewallcode, so that no single vulnerability works against both.Of course. Anything else is completely pointless.But if you use two boxes, then your rules that governtraffic betweenthe internet and the trusted subnet may appear on either box -- are, in fact, the intersection of rules found on both boxes.I don't see many reasons why traffic should bypass the DMZ - provided you are already going to the trouble of implementing a 2-device setup. OTOH I may be missing something here.
Read twice, answer once. In the two-box case, internal<->internet traffic DOESN'T bypass the DMZ. I consider that a problem, you don't. But my point here is that in the two-box case, that traffic has to cross both boxes -- and gets filtered by rules on BOTH boxes. This isn't just inefficient, it's also hard to manage.
Correctly managing such a split ruleset can be a challenge, even if both boxes use the same syntax and user interface -- whichthey won't,if they're distinct enough to cover against firewallvulnerabilities! True. That's the price you have to pay. Regards Ansgar Wiechers -------------------------------------------------------------- ------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015 -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015 ----------------------------------------------------------------------------
Current thread:
- Re: Basic Network Configuration, (continued)
- Re: Basic Network Configuration cc (Oct 15)
- Re: Basic Network Configuration Anders Reed-Mohn (Oct 15)
- Re: Basic Network Configuration DRAx (Oct 15)
- Re: Basic Network Configuration Ansgar -59cobalt- Wiechers (Oct 15)
- Re: Basic Network Configuration Valter Santos (Oct 15)
- RE: Basic Network Configuration David Gillett (Oct 15)
- Re: Basic Network Configuration DRAx (Oct 16)
- RE: Basic Network Configuration David Gillett (Oct 16)
- Re: Basic Network Configuration DRAx (Oct 16)
- Re: Basic Network Configuration DRAx (Oct 16)
- Re: Basic Network Configuration Ansgar -59cobalt- Wiechers (Oct 16)
- RE: Basic Network Configuration David Gillett (Oct 16)
- Re: Basic Network Configuration 'Ansgar -59cobalt- Wiechers' (Oct 16)
- RE: Basic Network Configuration David Gillett (Oct 17)
- Re: Basic Network Configuration 'Ansgar -59cobalt- Wiechers' (Oct 17)
- Ports used by VTAM Naren - Pactech (Oct 17)
- RE: Basic Network Configuration David Fore (Oct 15)