Multiple Firewalls - Depth of Security Tutorial

[catch]

No, I am sorry but that is just plain incorrect.

Data going from the internet to the server touches _all three_ firewalls! therefore it is no different as the attacker can pick now from 4 systems (the three firewalls and the server) to attack, and _any_ of those will have very bad consequences. Unlike a system with only a single firewall. When you add more in this manner you are adding surface area for the attacker to target.

IF... if you were using three different firewalls, and each one was told to block everything, then you would have a different situation, but you are forgetting the fact that they must pass data for the server to work.

Do you understand?

catch

[sickyourIT]

i understand.

adding more firewalls stacked in such a way does not add more surface area unless they all use different public ip's. assuming your using some sort of NAT, you really should be better off...

/bow
i give up though.

[catch]

Observe:

Client > firewall1 > firewall2 > firewall3 > server

compared to:

Client > firewall > server

Which has more surface area?

catch

[SoggyBottom]

In a 3 tiered firewall architecture model, why the hell would you open up traffic through all 3 firewalls to allow connectivity to your Internal network? If I was asked to allow similiar ttraffic through I would tell them to piss off!!

In a multi-tiered (lets say 3) firewall design, would you place your Webserver on the Internal network (behined the 3 firewalls) or behind the first firewall?

The whole idea of multi-tiered firewall design is to segregate (or DMZ) "risky" parts of your network. Servers that would be located between firewalls 1 and 3 (which is all segregated from the Internal network and Internet) would be stuff like webservers, proxies, mail servers, authentication servers... All stuff that you want to protect.

My point being, sure, if you have a multi-tiered design (say 3), opening up holes in all 3 firewalls for each connection requirement is not providing you any security what-so-ever. But if you have a multi-tiered design like this, you should NEVER allow single connections straight through all 3....

[catch]

yes this is a different point, as now the network is being compartmentalized, and that is a good thing, that is different than inline redundancy.

catch

[KorpDeath]

Where did Soggy say anything about inline firewalls? I'm unclear on that catch. You obviously know your stuff but I think including my comment about those pesky engineers should've made his point quite clear. Right?

My comment was about using firewalls to protect your internal network from not only the Internet but those pesky software AND hardware engineers, who are more than happy to "test" equipment or software without regard to corporate policy or network management.

Simple segregation of traffic by using various firewalls throughout the network would reduce the risk of an internal "attack".

Anyway both points are valid and explained quite well. Keep up the good work.

[catch]

Soggy didn't say anything about inline firewalls, but several other people, including sickyourIT did.

My initial response to Soggy was just to express that there are two good camps to security, lots of layers or minimization... but nothing inbetween.

frequently these are used togther with minimalistic systems placed together in layers.

catch

[sickyourIT]

a few links to check out....


http://www.informit.com/isapi/produc...t/articlex.asp

http://www.shmoo.com/mail/fw1/nov98/msg00502.html

http://www.greatcircle.com/firewalls-book/contents.html (good text file on firewalls)

http://www.cisco.com/warp/public/cc/...it/1584_pp.htm (parallel reasons and references - ie different firewalls for different apps, etc.)


worth a click.

(just thought i would put my references up, so people wouldn't think i was out of my mind.)