-
September 4th, 2005, 10:11 PM
#1
New Project - Triple-Decker Firewall Sandwich with Snort on the Side...Need Input
Well, the concept of a firewall sandwich is not new, but I was really bored and got the itch to tinker!
I got a lot of excess gear to play with back home, and I just downloaded the Trustix Firewall, so I'm contemplating a triple-decker sandwich consisting of a Cisco 1720, a SonicWall Pro 230, and Trustix Firewall. Yeah, I know...It's ultra-paranoid to think you would need such a setup, but I fugured what the hey!
What I envison is the Cisco 1720 being directly connected to the internet, with the private interface being connected to the SonicWall. From there, the SonicWall's VPN and LAN interfaces will go to a Catalyst on seperate VLANS with a Trustix box running Snort on each VLAN.
On the VLAN connected to the SonicWall's LAN port, I'll connect the Trustix Firewall, which will be the perimeter firewall for the LAN. The firewall rules will start out granular at the router, and get tighter and tighter as you move down.
What do you guys think? Anyone else out there ever attempt something so crazy? Just wanted to get you guy's feedback.
Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.
-
September 4th, 2005, 10:59 PM
#2
It's not so crazy. My box at school is behind 3 firewalls. I have a personal firewall, then the firewall on the router in my room that my computer and my roomates' computers connect to, and then the firewall for the school LAN on the server that everyone on the school network has to go through to access the 'net. Most people I know would still say that one properly configured firewall is better than a dozen that are mis-configured or left wide open.
Sounds like you have a different setup though... Let us all know what you find with your experiments.
-
September 5th, 2005, 09:46 PM
#3
just for curiosity's (spelled that wrong) sake what are u firewalling? If its a school or business i could understand but a home network?!!?! i dont know maybe im behind the times (i dont think so) but that sounds a little overkill, lol, well have fun and hopefully it all works really well
-
September 5th, 2005, 09:59 PM
#4
Unfortunately, three firewalls are worse than one. The extra firewalls actually increase the surface area of the system rather than decrease it, consequently the insecurities compound based on each firewalls assurance difference from 100%.
To simplify:
If firewall 1 = 99% assured (this is greatly simplied but bear with)
The systems firewalls are 99% assured.
If firewalls 2 and 3 are also 99% assured.
The systems firewalls are now 99% of 99% of 99% or ~97%... because each firewall compromise will compromise the entire system. (traffic can be manipulated at any point)
cheers,
catch
-
September 5th, 2005, 10:06 PM
#5
I'd have to agree with catch's math..
Atleast if it is a 'parallel' system which I seem to read here.. (sandwich) and the way you tell it..
Perhaps an image (chart) of the system would be helpfull in understanding what you are actualy doing..
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
September 5th, 2005, 10:42 PM
#6
So catch, assuming that the school's firewall that I'm behind sucks (which it does), then are you saying that could make my computer more vulnerable than if I were only behind one good firewall?
-
September 6th, 2005, 12:01 AM
#7
Atleast if it is a 'parallel' system which I seem to read here.. (sandwich) and the way you tell it..
There really is no way to mitigate this assuming all the firewalls are protecting the same systems. (without a really messed up architecture anyhow) Since each firewall would process all/nearly all of the traffic.
So catch, assuming that the school's firewall that I'm behind sucks (which it does), then are you saying that could make my computer more vulnerable than if I were only behind one good firewall?
You want to have the exact minimum controls to meet your needs and nothing more.
cheers,
catch
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|