Re: second-tier firewall replacement

["Eric Ong" <eric.ccong () gmail com>]

Thanks a lot for your valuable comments.

I have more questions about my 2-tier firewall selection.

Since my network doesn't have any segmentation, that is ONLY one
sub-net. my second-tier firewall is worked as a transparent mode
firewall. I know that the LAN segmentation is important for both
performance and security point of view. However, due to the limitation
of the too many server/application/.. , it cannot implement the LAN
segmentation now.

If I purchased a four-leg firewall, and use the "four-leg firewall" as
transparent firewall to separate the network into the four ZONE. Will
you think that idea is okay or not ?

Also, nowadays, the new network should be able to support 1000Mbps. Do
i need to purchase a 10/100 Mbps firewall or 10/100/1000 Mbps
firewall?

Thanks

Eric

On Thu, Sep 11, 2008 at 6:41 AM, David Gillett <gillettdavid () fhda edu> wrote:
>  Your auditor is correct.  One of the reasons for choosing a
> 2-tier configuration instead of a 3-legged configuration is
> so that an attacker should not have a single exploit that
> gets him all the way into the trusted network zone.  Even
> though the policies at the two tiers should be different,
> using the same vendor opens you to the risk that an exploit
> might be discovered which bypasses the rulesets of both
> boxes.
>
>  Since your outer tier firewall is exposed to the semi-random
> "noise" of the Internet, performance may be an issue, and so
> SPI -- Stateful Packet Inspection -- delivers good value for
> the money.  Ideally, the second tier should not just be a
> different brand but take a different approach:  a proxying
> "application" firewall.  These tend to be more resource
> intensive (bad choice for first tier) but can also detect
> things that would sail right past an SPI firewall.
>  I'm not sure exactly why you have an auditor looking at
> your configuration, but the PCI DSS rules specify an
> "application firewall", and a good argument can be made that
> a proxy qualifies and an SPI firewall does not.
>
>  From what I've looked at closely, Blue Coat is my personal
> favourite, but others may have their own recommendations.
>
> David Gillett
>
>
> > -----Original Message-----
> > From: Eric Ong [mailto:eric.ccong () gmail com]
> > Sent: Wednesday, September 10, 2008 9:06 AM
> > To: security-basics
> > Subject: second-tier firewall replacement
> >
> > Hi all,
> >
> > I need to implement a second-tier firewall replacement
> > project under the 2-tier firewall configuration
> >
> > Below is our current 2-tier firewall configuration:
> > ISP (internet) --> External Firewall/First-Tier Firewall
> > (Juniper Netscreen 25) --> DMZ --> Internal
> > Firewall/Second-Tier Firewall(SunScreen Firewall) --> Internal Network
> >
> >
> > I have the problem that I don't know why is the critical i
> > need to select the second-tier firewall.
> > Since I know that the SunScreen Firewall is not famous now,
> > so I want to replace the SunScreen Firewall with a new one.
> > Frankly, I want to replace the SunScreen by the Juniper Netscreen.
> > However, my auditor said that this is not a good ideas for
> > both External Firewall and Internal Firewall use the same
> > brand product.
> >
> > Any recommendations for me??
> >
> > Thanks in advance.
> >
> > Eric