Firewall Wizards mailing list archives
RE: placement of AG vs SPF
From: "Stout, Bill" <StoutB () pios com>
Date: Mon, 21 Sep 1998 12:16:05 -0400
----- Original Message ----- Lets suppose we have the following sort of network compartmentalization: /- net 1 Internet --- Firewall --- (inter-firewall segment) --- Firewall - net 2... / | \ | \- net N DMZ services Bastion services
<snip>
Which would you put on the outside as the screening firewall, and which on the inside as the internal firewall, and why? Does the specific product matter, or is the reasoning based upon AG vs SPF?
Security is only one design consideration. There is a 'self-defined' difference between relative security and absolute security, specifically, more connectivity (or usability) means less security. Performance and features are others design considerations. The initial connection to the Internet will be a router to which you will apply security filters. Through this you allow only known used ports and connection directions for protocols you will use on a firewall-by-firewall or server-by-server basis. The DMZ firewall needs to be fast, which typically means packet-filter or state-based system (again security is relative, how important is it that NYT hacks do not happen to you?). For services, adding caching or load-balancing proxies could improve performance. The Internal firewall needs to be very tight on inbound connections, and might be responsible for VPN traffic to other sites or allow access to an internal VPN tunnel server, and handle mostly outbound traffic for Internet access. Internal firewalls became looser as they began to handle more inbound traffic and new outbound applications, firewalls could be catagorized as inbound services firewalls (DMZ) or outbound access firewalls (Internal). Bill Stout
Current thread:
- placement of AG vs SPF Woody Weaver (Sep 19)
- <Possible follow-ups>
- Re: placement of AG vs SPF Rodney van den Oever (Sep 20)
- RE: placement of AG vs SPF Stout, Bill (Sep 21)