Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Screening Router as a firewall

From: jfvanmeter () comcast net
Date: Wed, 30 Mar 2005 13:16:54 +0000
I have seen a setup that had two firewalls, the first was a PIX and the second was Checkpoint.  The reason for two 
firewalls and two different vendors are.

1. The area between the two firewalls would be a screening subnet and you could host your email servers, content 
filterings systems, DNS, etc.
2. Rules can be split between the two firewalls
3. The reason for two different vendors is, if one vendor has an exploit and the perimeter firewall is compromised, the 
second firewall keeps any malicious activity out... ok hopefully out.... 

-------------- Original message -------------- 


Shimon, 

here is a long answer to your question. 

Let's first challenge your premise: what is the purpose of having 
multiple firewalls in series? Clearly, the reason is the assumption 
that 2 firewalls are more secure than one. 
Why should this assumption hold? 

After all, if the security policy allows some traffic to reach from 
source to destination - then BOTH firewalls will have 
the necessary "pass" rules. You need only one of the firewalls to 
drop unallowed traffic, so you could possibly save duplicating "drop" 
rules, but this is not giving you any more security. So, I conclude that 
if both firewalls are correctly enforcing the same policy, their 
combined filtering effect is identical to having just one - the other one 
is redundant (read "useless"). 

Another possible reason for the thought that "2 are better than 1" 
is "reliability": let's assume that each firewall has a "failure" 
probability of p, then the probablity of both failing at the same 
time is p^2, right? 
wrong! that calculation is correct only if the failure probabilities 
are _independent_, which most certainly is not the case for 2 firewalls, 
connected in series, configured by the same staff, with the same power grid, 
etc etc. their failure probabilities are highly correlated. 

Moreover, the main reason of firewall "failure" (which means allowing 
bad traffic through) is poor configuration - see citation [1] below. 
It's not a power failure or a bug in the vendors code. So duplicating 
the hardware, even from different vendors, won't buy you the "failure 
independence" your management is looking for. You might get some 
independence if you have separate teams configuring the devices - 
I doubt if many organizations do this, it sounds like operational hell... 

I can think of only 2 rational reasons to have 2 firewalls. 

1. performance: you could get a performance boost if your 
outer firewall was a fast but "stupid" device: you let it throw 
away the obvious junk, and let the slower but smarter device 
work on a lighter traffic load. 

2. You want to put machines between the firewalls and form a DMZ. this 
is fine, and does not contradict my argument from before because the 
two firewalls are enforcing different policies now. 

With this analysis in mind, I would say that if you want option #1, 
then putting filtering access lists on a router in front of the main 
firewall is a fine solution. If you want option #2 (DMZ), then you 
want real firewalls both in front and behind the DMZ. I wouldn't "skimp" 
on the inside firewall because the DMZ could pose as bad a security 
risk as the "outside". 

In either case I wouldn't rely on a Microsft ISA: it's running the same OS 
as many of your internal machines, so it is as vulnerable to malware as 
those internal machines. This is where failure probability independence does 
make sense: it's plausible that one vendor's bugs are independent of another. 

HTH 
Avishai 

Reference: 

[1] A. Wool. A quantitative study of firewall configuration errors. 
IEEE Computer, 37(6):62-67, 2004. 
http://www.eng.tau.ac.il/~yash/computer2004.pdf 



--- Shimon Silberschlag wrote: 

Hello group, 

Having a request for at least 2 firewalls protecting internet connectivity, 
would you consider a border router with ACLs as the first firewall, or would 
you demand to implement ACLs on the router and 2 other "traditional" 
firewalls? 

If you select the first option, would simple "packet filter" type ACLs 
suffice, or would you demand "stateful" ACLs? 
(I believe Cisco calls its implementation CBAC). 
If you select the second option, would you demand that the 2 firewalls be of 
different brand, different technology or can they be the same product? 

Can ISA2004 serve as the second, internal facing firewall? Anyone using it 
as such? 

TIA, 

Shimon Silberschlag 

+972-3-9351572 
+972-50-7207130 

_______________________________________________ 
firewall-wizards mailing list 
firewall-wizards () honor icsalabs com 
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards 



Avishai Wool, Ph.D., 
http://www.algosec.com http://www.eng.tau.ac.il/~yash 
yash () acm org Tel: +972-3-640-6316 Fax: +972-3-640-7095 



__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site! 
http://smallbusiness.yahoo.com/resources/ 
_______________________________________________ 
firewall-wizards mailing list 
firewall-wizards () honor icsalabs com 
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: