Security Basics mailing list archives
Re: Basic Network Configuration
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Thu, 16 Oct 2003 12:25:27 +0200
On 2003-10-15 David Gillett wrote:
One implements a DMZ in order to impose three sets of firewall rules: - between the internet and the DMZ subnet - between the internet and the trusted subnet - between the DMZ subnet and the trusted subnet
IMHO the second rule is void, since no traffic should bypass the DMZ.
If, instead, you use two boxes, your traffic between the internet and the trusted subnet incurs an extra router hop in each direction. Not a big deal, but performance purists tend to complain about firewall overheads already. Two firewalls will not necessarily cost more than one, if you can get away with SOHO models that only have two interfaces instead of industrial-strength boxes which typically support three or more.
I have to disagree on this. Two firewalls *will* cost more than one because you will have to maintain (confguration, patches, ...) two different systems. There is no point in implementing the same firewall twice (with different rulesets) because in that case both systems will most likely be vulnerable to the same exploits.
The usual justification for using two firewalls is that an attacker would have to get past both to get into the trusted network. You only really achieve this benefit if the boxes run different OS and firewall code, so that no single vulnerability works against both.
Of course. Anything else is completely pointless.
But if you use two boxes, then your rules that govern traffic between the internet and the trusted subnet may appear on either box -- are, in fact, the intersection of rules found on both boxes.
I don't see many reasons why traffic should bypass the DMZ - provided you are already going to the trouble of implementing a 2-device setup. OTOH I may be missing something here.
Correctly managing such a split ruleset can be a challenge, even if both boxes use the same syntax and user interface -- which they won't, if they're distinct enough to cover against firewall vulnerabilities!
True. That's the price you have to pay. Regards Ansgar Wiechers --------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015 ----------------------------------------------------------------------------
Current thread:
- RE: Basic Network Configuration, (continued)
- RE: Basic Network Configuration Stuart (Oct 15)
- Re: Basic Network Configuration cc (Oct 15)
- Re: Basic Network Configuration Anders Reed-Mohn (Oct 15)
- Re: Basic Network Configuration DRAx (Oct 15)
- Re: Basic Network Configuration Ansgar -59cobalt- Wiechers (Oct 15)
- Re: Basic Network Configuration Valter Santos (Oct 15)
- RE: Basic Network Configuration David Gillett (Oct 15)
- Re: Basic Network Configuration DRAx (Oct 16)
- RE: Basic Network Configuration David Gillett (Oct 16)
- Re: Basic Network Configuration DRAx (Oct 16)
- Re: Basic Network Configuration DRAx (Oct 16)
- Re: Basic Network Configuration Ansgar -59cobalt- Wiechers (Oct 16)
- RE: Basic Network Configuration David Gillett (Oct 16)
- Re: Basic Network Configuration 'Ansgar -59cobalt- Wiechers' (Oct 16)
- RE: Basic Network Configuration David Gillett (Oct 17)
- Re: Basic Network Configuration 'Ansgar -59cobalt- Wiechers' (Oct 17)
- Ports used by VTAM Naren - Pactech (Oct 17)
- RE: Basic Network Configuration David Fore (Oct 15)