I really hate getting 50 responses to the same question, but will go ahead
with this anyway.

The layered architecture is becoming an ever more common practice in both
government and industry deployments, therefore, I think it is very important
to realize the benefits, and drawbacks.

The layered approach to firewall architecture does NOT provide redundancy
nor does it eliminate a single point of failure.

Two (2) firewalls are used with One (1) Internet presence, with the
architecture
looking like so:
   INTERNET - FW - DMZ - FW - LAN
Note: to add redundancy, and eliminate the single point of failure, you
would
need dual FW's with internet connection, connected to a switch/hub in the
DMZ.

Like others have already stated, the benefits are:
1. Network is divided into logical "Zones", where each Zone must traverse a
FW to get to another zone.

2. Less cumbersome rule sets. Internet can only communicate with DMZ,
which
would contain hosts such as, web servers, external SMTP, Citrix, Portals,
etc.

3. In turn, DMZ communicates with internal LAN for data sources.

4. If two different FW products are used, the thought is that if the FW
with
Internet presence is hacked, no valuable information is available. The
second
firewall must be hacked as well to get to the "good stuff". However, this
can
add a bit of admin overhead, as it may require someone.

Another twist on this architecture is when you have other "Untrusted"
entities
that share your Internet connection (many county governments are structured
this
way). The problem being that you have no control over their backend
connections
(modems on desktops, DSL line, etc). With the previous architecture, you
can add
in these entities at your own comfort level, with a DMZ interface on either
the
external or internal FW.

Hope this helps someone....

-----Original Message-----
From: Paul D. Shaffer [mailto:paulshaf@earthlink.net]
Sent: Thursday, October 04, 2001 6:05 PM
To: Rob Collins
Cc: CISSPSTUDY@securityfocus.com
Subject: RE: "design the firewall system" practice from the CERT
Security Improvement Modules

Rob, the benefit is in the keyword "layered." By adding a second firewall
layer, an admin gains flexibility, redundancy and more granular control over
the traffic passing through the system. Single point of failure is
mitigated, and additional options for placing and managing, for example,
intrusion detection devices is gained.

As we are all probably well aware, there will always be a tradeoff in added
complexity and administrative overhead whenever additional devices or
systems are added to a network. The decision to employ a more complex,
"layered" protection scheme would be based on various factors including
traffic loads on the various segments, applications hosted at different
points on the network and their commensurate security requirements, etc.
Hope this helps...

Paul

-----Original Message-----
From: Rob Collins [mailto:robtompc@yahoo.com]
Sent: Thursday, October 04, 2001 4:52 PM
To: Arlen Fletcher; CISSPSTUDY@SECURITYFOCUS.COM
Subject: RE: "design the firewall system" practice from the CERT
Security Improvement Modules

Just to be clear, the two different architectures are:
Basic firewall with DMZ network architecture;
   INTERNET
      |
LAN---o---DMZ
Dual firewall with DMZ network architecture;
   INTERNET
      |
      o
      |___DMZ
      |
      o
      |
     LAN

In both architectures, traffic from any one segment to
another must first pass a firewall. The difference,
so far as I see, is entirely in the shape of the rules
the firewall(s) use.

Maybe I'm not understanding 'layering'. What benefit
does putting the second firewall in provide? I see
complications (like an extra firewall), but no benefit
in making traffic destined for the intranet traverse
the DMZ.

--- Arlen Fletcher <Arlen.Fletcher@farm-credit.com>
wrote:
> It's a layered defense.

=====
--r
"Experience is that marvelous thing that enables you to recognize a mistake
when you make it again." -- F. P. Jones

__________________________________________________
Do You Yahoo!?
NEW from Yahoo! GeoCities - quick and easy web site hosting, just
$8.95/month.
http://geocities.yahoo.com/ps/info1

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]