OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Grayson, David (Australia) (david_grayson@exchange.au.ml.com)
Date: Thu Oct 04 2001 - 19:04:09 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    A couple of points:

    * The use of a single-firewall architecture gives a single point of failure
    - if that box is compromised you're internal network is exposed. The use of
    two different firewall products for the internal and external firewalls
    gives another layer of security (DMZ is sacrificial if the external firewall
    is compromised). The drawback here is the greater requirement both in
    equipment/software and skill sets (maintenance of two different systems).

    * Additionally (an debated by some), a single-firewall architecture with
    three interfaces requires the configuration of a more complicated three-path
    rule set (although admittedly the one from the internal network to the
    external could be completely disallowed) over two single path rule sets.
    These two rule sets can be very different and if the external firewall is
    well configured, traffic to the internal firewall should contain less
    garbage and be very easy to monitor relatively - i.e. it gives the advantage
    of modularity. This lower-complexity method can reduce configuration
    errors.

    I recommend reading Building Internet Firewalls (2nd Ed) by Zwicky et alia
    from O'Reilly for the basics. Enjoy!

    David Grayson

    > -----Original Message-----
    > From: Rob Collins [mailto:robtompc@yahoo.com]
    > Sent: Friday, October 05, 2001 7:07 AM
    > To: CISSPSTUDY@SECURITYFOCUS.COM
    > Subject: "design the firewall system" practice from the CERT
    > Security Improvement Modules
    >
    >
    > Hi all,
    >
    > I was reading the CERT practice specificied in the
    > subject line (it is available here:
    > http://www.cert.org/security-improvement/practices/p053.html).

     Within, they talk about firewall architectures. The
    DMZ network (figure 1.6), maps well to the IDS Zone
    Theory Diagram by Scott Sanchez, and makes perfectly
    good sense to me. But the practice suggests, as more
    secure, a dual firewall with DMZ network architecture
    (figure 1.7). It does not provide details as to why
    this architecture is considered to be of increased effectiveness.

    The dual firewall design places a firewall at the
    external perimeter, which connects to the DMZ network
    (and the internet). On the DMZ network is another
    firewall, which sits at the internal network perimeter.

    =====
    --r
    "Experience is that marvelous thing that enables you to recognize a mistake
    when you make it again." -- F. P. Jones

    __________________________________________________
    Do You Yahoo!?
    NEW from Yahoo! GeoCities - quick and easy web site hosting, just
    $8.95/month. http://geocities.yahoo.com/ps/info1