Firewall Wizards mailing list archives

placement of AG vs SPF

From: Woody Weaver <woody () wiltelnsi com>
Date: Fri, 18 Sep 1998 11:18:13 -0700

Lets suppose we have the following sort of network compartmentalization:

                                                                    /- net 1
Internet   ---  Firewall   --- (inter-firewall segment) --- Firewall - net
2...
                 / | \                   |                          \- net N
                DMZ services     Bastion services

DMZ services are public, you mostly want to keep them from crashing; no
significant data will reside there (they'd be refreshed from inside on a
regular basis).  Bastion services include authentication, logging, and pass
through to internal data bases.  Inside the second firewall are users,
protected internal servers, etc.

Lets say you are a belts-and-suspenders sort of guy, and believe that two
separate firewall technologies should be used, so you decide that one
firewall will be a "mostly application gateway" firewall (sometimes called
a proxy... :) ) and the other will be a "mostly stateful packet filter"
firewall.  If the specific product matters, lets say one is going to be
Gauntlet, and the other Checkpoint's FW1.

Which would you put on the outside as the screening firewall, and which on
the inside as the internal firewall, and why?  Does the specific product
matter, or is the reasoning based upon AG vs SPF?

--woody
--
Robert Wooddell Weaver               email:  woody () wiltelnsi com
Network Engineer                     voice:  510.358.3972
Williams Communication Data Group    pager:  510.702.4334

Current thread:

placement of AG vs SPF Woody Weaver (Sep 19)
- <Possible follow-ups>
- Re: placement of AG vs SPF Rodney van den Oever (Sep 20)
- RE: placement of AG vs SPF Stout, Bill (Sep 21)