Security Basics mailing list archives
RE: second-tier firewall replacement
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 10 Sep 2008 15:41:58 -0700
Your auditor is correct. One of the reasons for choosing a 2-tier configuration instead of a 3-legged configuration is so that an attacker should not have a single exploit that gets him all the way into the trusted network zone. Even though the policies at the two tiers should be different, using the same vendor opens you to the risk that an exploit might be discovered which bypasses the rulesets of both boxes. Since your outer tier firewall is exposed to the semi-random "noise" of the Internet, performance may be an issue, and so SPI -- Stateful Packet Inspection -- delivers good value for the money. Ideally, the second tier should not just be a different brand but take a different approach: a proxying "application" firewall. These tend to be more resource intensive (bad choice for first tier) but can also detect things that would sail right past an SPI firewall. I'm not sure exactly why you have an auditor looking at your configuration, but the PCI DSS rules specify an "application firewall", and a good argument can be made that a proxy qualifies and an SPI firewall does not. From what I've looked at closely, Blue Coat is my personal favourite, but others may have their own recommendations. David Gillett
-----Original Message----- From: Eric Ong [mailto:eric.ccong () gmail com] Sent: Wednesday, September 10, 2008 9:06 AM To: security-basics Subject: second-tier firewall replacement Hi all, I need to implement a second-tier firewall replacement project under the 2-tier firewall configuration Below is our current 2-tier firewall configuration: ISP (internet) --> External Firewall/First-Tier Firewall (Juniper Netscreen 25) --> DMZ --> Internal Firewall/Second-Tier Firewall(SunScreen Firewall) --> Internal Network I have the problem that I don't know why is the critical i need to select the second-tier firewall. Since I know that the SunScreen Firewall is not famous now, so I want to replace the SunScreen Firewall with a new one. Frankly, I want to replace the SunScreen by the Juniper Netscreen. However, my auditor said that this is not a good ideas for both External Firewall and Internal Firewall use the same brand product. Any recommendations for me?? Thanks in advance. Eric
Current thread:
- second-tier firewall replacement Eric Ong (Sep 10)
- RE: second-tier firewall replacement David Gillett (Sep 10)
- Re: second-tier firewall replacement Eric Ong (Sep 16)
- RE: second-tier firewall replacement Boaz Shunami (Sep 17)
- Re: second-tier firewall replacement Eric Ong (Sep 16)
- RE: second-tier firewall replacement David Gillett (Sep 10)