NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 2000-q2

Subject: RE: [fw-wiz] firewall architectures
From: fernando_montenegrohp.com
Date: Wed May 24 2000 - 06:51:54 CDT

Next message: owner-firewall-wizardsnfr.net: "[fw-wiz] BOUNCE firewall-wizardsnfr.net: Approval required:"
Previous message: Shaun Moran: "Re: [fw-wiz] Maximum Rule Limit on Checkpoint 2000"
Maybe in reply to: Kelly Scroggins: "[fw-wiz] firewall architectures"
Maybe reply: fernando_montenegrohp.com: "RE: [fw-wiz] firewall architectures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello!

> The firewall
> restricts access from the Internet to these servers to
> appropriate web traffic,
> but also restricts access by these servers to Internal network.
> ASCII diagram
> Internet
> |
> [screening router]
> |
> [firewall]----------------[Internet servers]
> |
> [screening router]
> |
> Internal WAN

One thing I have used successfully in the past has been to separate the
[Internet servers]->Internal_WAN traffic from the [Internet servers]->Internet
traffic by using two (or more) LAN cards. I like to use the "bank teller"
analogy: any transactions a bank employee does with the bank doesn't use the
"customer" infrastructure (standing in line in the next teller).

By separating traffic between:
- public interfaces
- private (data) interfaces, when needed
- administration interfaces

You get a significant improvement in the granularity (ie, finer control) on
what kind of traffic a particular server sees. This has the added bonus of
allowing for finer network-level filtering (as simple as it is, you can use MS'
packet filtering functionality in a more controlled manner).

ASCII diagram

This can be improved by using two different firewalls, of course. Your mileage
(and your budget) may vary...

Hope this helps.

Cheers,
Fernando

--
Fernando da Silveira Montenegro     Hewlett-Packard Brasil
HP Consulting - IT Security         Al. Rio Negro, 750 - Alphaville
mailto:fernando_montenegrohp.com   Barueri, SP - Brazil 06454-000
voice: +55-11-7297-4351             #include <disclaimer.h>

Next message: owner-firewall-wizardsnfr.net: "[fw-wiz] BOUNCE firewall-wizardsnfr.net: Approval required:"
Previous message: Shaun Moran: "Re: [fw-wiz] Maximum Rule Limit on Checkpoint 2000"
Maybe in reply to: Kelly Scroggins: "[fw-wiz] firewall architectures"
Maybe reply: fernando_montenegrohp.com: "RE: [fw-wiz] firewall architectures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]