RE: Defense in Depth

[Ghaith Nasrawi <libero () aucegypt edu>]

sorry for the late reply. well, when you have VPN setup between two
firewalls, it's usually like that ..


LAN1 (IPs 1.1.1.0/24) ---> FW1  <-------->  FW2 <----- LAN2 (IPs
2.2.2.0/24)

and when you try to establish a connection, from LAN1 to LAN2, you just
hit 2.2.2.0/24 IP and the FW will takeover and do the whole tunnelling
for you. FWs do all kind of tricks (sometimes out of standards) to
establish these tunnels for you. When you establish a new FW in the
middle, you're just adding a new layer of complexity, because your
FW1<->FW2 connection would be NATTed. and the traffic is manipulated,
which upsets the encrypted traffic authentication/integrity ending up in
breaking any tunnel. So before you establish any kind of "disruptive"
security, research what you're doing well.




On Thu, 2004-11-04 at 15:52, Randy Golly wrote:
> Care to elaborate??
>
> Randy Golly
>
>
> -----Original Message-----
> From: Ghaith Nasrawi [mailto:libero () aucegypt edu] 
> Sent: Tuesday, November 02, 2004 6:30 PM
> To: Naren
> Cc: Ravi Kumar; Ronish Mehta; security-basics () securityfocus com
> Subject: Re: Defense in Depth
>
> i don't find them very practical when VPNs in use. the idea won't work!
>
>
> On Mon, 2004-11-01 at 03:38, Naren wrote:
> > Dear all,
> >
> > My $ 0.02
> >
> > The idea behind two firewalls is because of different technologies,
> and 
> > capabilities, having two firewalls from two different vendors help 
> -snip-
-- 


 (o_
 //\   Ghaith Nasrawi 
 V_/_  

"Evil thrives when good men do nothing"