Security Basics mailing list archives

Re: 2 firewalls protecting internal network

From: olufemimogaji () gmail com
Date: Fri, 25 May 2012 14:48:44 +0000

The idea is to separate two networks with deferring security requirements. 
In some scenarios, this implementation is highly effective. See my explanation:


The perimeter firewall's function is to allow the permitted traffic/hosts from the external network (internet)  access 
resources in the DMZ. In that case the firewall permits some form of external traffic into the network. This slight 
loophole can be exploited by hackers to gain access to the DMZ (tunnelling & the likes)

However, the inner firewall (2nd firewall), in some scenarios, can be configured NOT to allow any form of traffic past 
it, except returning traffic initiated by hosts on the inner network. This to a large extent mitigates the risk of 
tunnelling from the internet or DMZ into the internal network, as suggested by a learned contributor (but I'm open to 
learn ways this come be circumvented).  NAT would traditionally be implemented on this 2nd firewall also, so internal 
network addresses are hidden. If properly configured, no routing protocols/static routing is required. Therefore, if an 
attacker who has compromised the DMZ attempts to get past the 2nd firewall, his packets won't get anywhere, as the 
compromised machine will only try to forward all packets destined to an unknown network to the default gateway 
(perimeter firewall, which won't have any information of the networks that reside behind the 2nd one).

It's not foolproof, but it will take some really advanced skills to get past this implementation.

Corrections/suggestions are highly welcome. :)

Kind regards,

Femi M.
CCNP, CCIP, CCNA Sec, Associate (ISC)2


Sent from my BlackBerry® smartphone provided by Airtel Nigeria.

-----Original Message-----
From: marco cohen <marcocohen2 () gmail com>
Sender: listbounce () securityfocus com
Date: Thu, 24 May 2012 01:45:24 
To: <security-basics () securityfocus com>
Subject: 2 firewalls protecting internal network

hi all

I know that there is a defence in depth idea to implement 2 firewalls,
each from different vendor.

what you think about it ? is it practical?

thanks

marco

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

2 firewalls protecting internal network marco cohen (May 24)
- Re: 2 firewalls protecting internal network Stephanus J Alex Taidri (May 24)
- Re: 2 firewalls protecting internal network synja (May 24)
- Re: 2 firewalls protecting internal network RobOEM (May 24)
- RE: 2 firewalls protecting internal network Mike Vella (May 24)
  - Re: 2 firewalls protecting internal network Ferreira, Steve G. (May 24)
- RE: 2 firewalls protecting internal network David Gillett (May 24)
- RE: 2 firewalls protecting internal network Dan Lynch (May 24)
  - Re: 2 firewalls protecting internal network Mrs. Y. (May 24)
- Re: 2 firewalls protecting internal network olufemimogaji (May 25)
- <Possible follow-ups>
- Re: 2 firewalls protecting internal network kartik . netsec (May 25)
  - Re: 2 firewalls protecting internal network Mrs. Y. (May 25)