Security Basics mailing list archives
Re: second-tier firewall replacement
From: "Eric Ong" <eric.ccong () gmail com>
Date: Mon, 15 Sep 2008 00:39:09 +0800
Thanks a lot for your valuable comments. I have more questions about my 2-tier firewall selection. Since my network doesn't have any segmentation, that is ONLY one sub-net. my second-tier firewall is worked as a transparent mode firewall. I know that the LAN segmentation is important for both performance and security point of view. However, due to the limitation of the too many server/application/.. , it cannot implement the LAN segmentation now. If I purchased a four-leg firewall, and use the "four-leg firewall" as transparent firewall to separate the network into the four ZONE. Will you think that idea is okay or not ? Also, nowadays, the new network should be able to support 1000Mbps. Do i need to purchase a 10/100 Mbps firewall or 10/100/1000 Mbps firewall? Thanks Eric On Thu, Sep 11, 2008 at 6:41 AM, David Gillett <gillettdavid () fhda edu> wrote:
Your auditor is correct. One of the reasons for choosing a 2-tier configuration instead of a 3-legged configuration is so that an attacker should not have a single exploit that gets him all the way into the trusted network zone. Even though the policies at the two tiers should be different, using the same vendor opens you to the risk that an exploit might be discovered which bypasses the rulesets of both boxes. Since your outer tier firewall is exposed to the semi-random "noise" of the Internet, performance may be an issue, and so SPI -- Stateful Packet Inspection -- delivers good value for the money. Ideally, the second tier should not just be a different brand but take a different approach: a proxying "application" firewall. These tend to be more resource intensive (bad choice for first tier) but can also detect things that would sail right past an SPI firewall. I'm not sure exactly why you have an auditor looking at your configuration, but the PCI DSS rules specify an "application firewall", and a good argument can be made that a proxy qualifies and an SPI firewall does not. From what I've looked at closely, Blue Coat is my personal favourite, but others may have their own recommendations. David Gillett-----Original Message----- From: Eric Ong [mailto:eric.ccong () gmail com] Sent: Wednesday, September 10, 2008 9:06 AM To: security-basics Subject: second-tier firewall replacement Hi all, I need to implement a second-tier firewall replacement project under the 2-tier firewall configuration Below is our current 2-tier firewall configuration: ISP (internet) --> External Firewall/First-Tier Firewall (Juniper Netscreen 25) --> DMZ --> Internal Firewall/Second-Tier Firewall(SunScreen Firewall) --> Internal Network I have the problem that I don't know why is the critical i need to select the second-tier firewall. Since I know that the SunScreen Firewall is not famous now, so I want to replace the SunScreen Firewall with a new one. Frankly, I want to replace the SunScreen by the Juniper Netscreen. However, my auditor said that this is not a good ideas for both External Firewall and Internal Firewall use the same brand product. Any recommendations for me?? Thanks in advance. Eric
Current thread:
- second-tier firewall replacement Eric Ong (Sep 10)
- RE: second-tier firewall replacement David Gillett (Sep 10)
- Re: second-tier firewall replacement Eric Ong (Sep 16)
- RE: second-tier firewall replacement Boaz Shunami (Sep 17)
- Re: second-tier firewall replacement Eric Ong (Sep 16)
- RE: second-tier firewall replacement David Gillett (Sep 10)