OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Paul D. Shaffer (paulshaf@earthlink.net)
Date: Thu Oct 04 2001 - 19:04:46 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Rob, the benefit is in the keyword "layered." By adding a second firewall
    layer, an admin gains flexibility, redundancy and more granular control over
    the traffic passing through the system. Single point of failure is
    mitigated, and additional options for placing and managing, for example,
    intrusion detection devices is gained.

    As we are all probably well aware, there will always be a tradeoff in added
    complexity and administrative overhead whenever additional devices or
    systems are added to a network. The decision to employ a more complex,
    "layered" protection scheme would be based on various factors including
    traffic loads on the various segments, applications hosted at different
    points on the network and their commensurate security requirements, etc.
    Hope this helps...

    Paul

    -----Original Message-----
    From: Rob Collins [mailto:robtompc@yahoo.com]
    Sent: Thursday, October 04, 2001 4:52 PM
    To: Arlen Fletcher; CISSPSTUDY@SECURITYFOCUS.COM
    Subject: RE: "design the firewall system" practice from the CERT
    Security Improvement Modules

    Just to be clear, the two different architectures are:
    Basic firewall with DMZ network architecture;
       INTERNET
          |
    LAN---o---DMZ
    Dual firewall with DMZ network architecture;
       INTERNET
          |
          o
          |___DMZ
          |
          o
          |
         LAN

    In both architectures, traffic from any one segment to
    another must first pass a firewall. The difference,
    so far as I see, is entirely in the shape of the rules
    the firewall(s) use.

    Maybe I'm not understanding 'layering'. What benefit
    does putting the second firewall in provide? I see
    complications (like an extra firewall), but no benefit
    in making traffic destined for the intranet traverse
    the DMZ.

    --- Arlen Fletcher <Arlen.Fletcher@farm-credit.com>
    wrote:
    > It's a layered defense.

    =====
    --r
    "Experience is that marvelous thing that enables you to recognize a mistake
    when you make it again." -- F. P. Jones

    __________________________________________________
    Do You Yahoo!?
    NEW from Yahoo! GeoCities - quick and easy web site hosting, just
    $8.95/month.
    http://geocities.yahoo.com/ps/info1