Firewall Wizards mailing list archives
RE: Reverse Proxy on DMZ - 1 FW, 2 FW (disclaimer at end...)
From: "John Kozubik" <john_kozubik_dc () hotmail com>
Date: Wed, 20 Jan 1999 10:40:25 PST
Would you mind explaining this a little bit more? Are you talking about multiple firewall behind each other or about the "seperate network" case outlined below?
Although you could set this up many ways, I prefer a 'serial firewall' environment (for some situations like this). It is quite annoying to do this with more than two firewalls though, because, as you mentioned, why should all packets from the deep end go through 3,4, even 5 stacks to get out. It is not a huge deal in terms of performance if you are using small amounts of bandwidth to the outside world (10-50 meg/s) and is not even worth talking about if you are using a slow connection like a T1, 2 T1's, etc. However, most will agree that setting up routing internally to go through more than two firewalls is a bit annoying. YMMV. So that is what I was talking about in terms of multiple firewalls - in this case you have your DMZ between the router and FW #1 - do what you want with the DMZ, I guess. Then you have a space between FW #1 and FW #2 which would be a good place to put dirty machines like www, etc., then you have everything behind FW #2 which is where you put the sensitive stuff. This is a broad generalization. It may not be suitable for your network.
Hmmm... I don't see how my arguments would not hold in a scenario of multiple firewalls. My latest project was one in which we used >several firewall entities (from two to five, depends on one's definition) and
That's the point - your arguments _do_ hold, which is why you put in multiple firewalls in some scenarios. If your points were not valid, we could just throw everything behind one firewall.
Sorry, but I have the strong tendency to seperate machines from each other. Each of those machines reselbles a different risk: The Web server might be broken because of some funny OS/Library/Web-Server interaction (1). The mail server because of some buffer overflow. I can't put them on the same network because I have to know if one behaves "different". If a chain breaks at the weakest link, just don't use a chain. Right?
Right - here is the scenario I am describing - you have a serial firewall setup like I talked about above, and you just move the part between FW #1 and FW #2 to a completely different network. Obviously if you are not comfortable putting them all together between FW1 and FW2, then you shouldn't be doing that in the first place. What I am saying is that if you use a serial firewall setup - with 2, 3, 4, 5, 20 firewalls, remember that you also have the opportunity to take any one of those segments and just move it to another building with another ISP and give it a single firewall for itself. Presumably the machines quarantined in each of those segments can be safely placed together on one network, otherwise, what are they doing in the same segment in the first place? I agree that we _should_ be seperating machines - I think we agree more than you think - because placing things on totally seperate networks like this is about as seperate as it gets. Certainly if you are not comfortable having mail and www together in a segment, then you shouldn't put them together at a seperate location. In some cases, you can be confident putting them together (or sometimes you have to) so this is just another alternative to placing in another serial firewall (or a dirty segment off of a third nic, whatever). Disclaimer: I think it is important to point out that the best security practice for a particular environment is not necessarily the accepted, published, agreed upon format. It is conceivable that one could build a secure network without a firewall. It is conceivable that one could securely place mail, www, and sensitive machines inside a single firewall. Then again, it is conceivable that the best security for _your_ application is having 10 firewalls all in a line. Or maybe a few firewalls with 5 NICs each. Or maybe split those segments up into 20 new physical networks in different locations that do not even recognize each other. Most likely the above is not the case. Most likely you _do_ need a firewall, you do need to quarantine machines, and you don't have the resources to place 10 seperate networks in 10 different geographical locations on different networks. In these cases you can learn a lot from the _accepted_ work in the field. Just _don't forget_ that when I write this email, I have _no_ clue what your network is like and what it is doing. When people respond to this email, they also have _no clue_. We can offer only broad generalizations and speculation. Please do not mistake these broad generalizations and wanderings to obscure eventualities to mean that I think these are the best practices, etc. _in general_ ... I have done all of these things, and just like to throw out my experience as ideas - even when it conflicts with the 'accepted' material, or how you run your network. Make a security system that protects your network best - nothing less, and if that means doing things strangely, so be it - just post to the list when you do, because I _like_ to hear about new and strange ways of doing things - it increases my mental toolset. If someone sets up a secure network _without_ a firewall, I WANT to hear about it, even though it conflicts with the books I read and the trade journals I subscribe to. If someone knows a way to quarantine different blocks using serial firewalls, or some other method, I want to hear about it even though it is not something I would do on my network. I didn't make up these ideas, I learned them the same way - someone talked about an obscure application they did that had no bearing whatsoever on my current projects, and went against the philosophy I was using on my network at the time. Later, however, I found an assignment that called for these ideas, and was glad to have them. kozubik - John Kozubik - john_kozubik () hotmail com PGP DSS: 0EB8 4D07 D4D5 0C28 63FE AD87 520F 57BE 850B E4C4 ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- RE: Reverse Proxy on DMZ - 1 FW, 2 FW (disclaimer at end...) John Kozubik (Jan 20)