RE: placement of AG vs SPF

["Stout, Bill" <StoutB () pios com>]

> ----- Original Message -----
> Lets suppose we have the following sort of network compartmentalization:
>
>                                                                     /- 
> net 1
> Internet   ---  Firewall   --- (inter-firewall segment) --- Firewall - net
> 2...
>                  / | \                   |                          \- 
> net N
>                 DMZ services     Bastion services
<snip> 
> Which would you put on the outside as the screening firewall, and which on
> the inside as the internal firewall, and why?  Does the specific product
> matter, or is the reasoning based upon AG vs SPF?

Security is only one design consideration.  There is a 'self-defined'
difference between relative security and absolute security, specifically,
more connectivity (or usability) means less security.

Performance and features are others design considerations.  The initial
connection to the Internet will be a router to which you will apply security
filters.  Through this you allow only known used ports and connection
directions for protocols you will use on a firewall-by-firewall or
server-by-server basis.  The DMZ firewall needs to be fast, which typically
means packet-filter or state-based system (again security is relative, how
important is it that NYT hacks do not happen to you?).  For services, adding
caching or load-balancing proxies could improve performance.  The Internal
firewall needs to be very tight on inbound connections, and might be
responsible for VPN traffic to other sites or allow access to an internal
VPN tunnel server, and handle mostly outbound traffic for Internet access.

Internal firewalls became looser as they began to handle more inbound
traffic and new outbound applications, firewalls could be catagorized as
inbound services firewalls (DMZ) or outbound access firewalls (Internal).

Bill Stout