Rob Collins wrote:
>
> Just to be clear, the two different architectures are:
> Basic firewall with DMZ network architecture;
> INTERNET
> |
> LAN---o---DMZ
> Dual firewall with DMZ network architecture;
> INTERNET
> |
> o
> |___DMZ
> |
> o
> |
> LAN
>
> In both architectures, traffic from any one segment to
> another must first pass a firewall. The difference,
> so far as I see, is entirely in the shape of the rules
> the firewall(s) use.
>
> Maybe I'm not understanding 'layering'. What benefit
> does putting the second firewall in provide? I see
> complications (like an extra firewall), but no benefit
> in making traffic destined for the intranet traverse
> the DMZ.

Some of the benefits (not all security specific) are:

1) Scalability - the 3-legged firewall must handle front-end and
back-end traffic while the layered approach separates them.

2) Simpler rule sets, especially if NAT is involved.

3) Change control requirements for front-end and back-end are often
quite different. A layered approach separates those changes and reduces
potential cross-impact.

You assume a policy that allows external traffic to your intranet. That
in itself may not be a wise decision. Some sites have a policy that
requires all external activity to interact only with servers in the
DMZ. No connections directly to internal systems are permitted. All
access to the external world from the inside must pass through proxies.
Inbound and outbound traffic may even use separate infrastructure where
one is layered and the other isn't. It all depends on the risks you
need to address and the other non-security requirements that you must
meet.

-paul

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]