OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: placement of AG vs SPF

placement of AG vs SPF

Woody Weaver (woodywiltelnsi.com)
Fri, 18 Sep 1998 11:18:13 -0700

Lets suppose we have the following sort of network compartmentalization:

                                                                    /- net 1
Internet --- Firewall --- (inter-firewall segment) --- Firewall - net
2...
                 / | \ | \- net N
                DMZ services Bastion services

DMZ services are public, you mostly want to keep them from crashing; no
significant data will reside there (they'd be refreshed from inside on a
regular basis). Bastion services include authentication, logging, and pass
through to internal data bases. Inside the second firewall are users,
protected internal servers, etc.

Lets say you are a belts-and-suspenders sort of guy, and believe that two
separate firewall technologies should be used, so you decide that one
firewall will be a "mostly application gateway" firewall (sometimes called
a proxy... :) ) and the other will be a "mostly stateful packet filter"
firewall. If the specific product matters, lets say one is going to be
Gauntlet, and the other Checkpoint's FW1.

Which would you put on the outside as the screening firewall, and which on
the inside as the internal firewall, and why? Does the specific product
matter, or is the reasoning based upon AG vs SPF?

--woody 

--
Robert Wooddell Weaver               email:  woodywiltelnsi.com
Network Engineer                     voice:  510.358.3972
Williams Communication Data Group    pager:  510.702.4334

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:47 CDT