Results 1 to 7 of 7

Thread: New Project - Triple-Decker Firewall Sandwich with Snort on the Side...Need Input

  1. #1
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397

    New Project - Triple-Decker Firewall Sandwich with Snort on the Side...Need Input

    Well, the concept of a firewall sandwich is not new, but I was really bored and got the itch to tinker!

    I got a lot of excess gear to play with back home, and I just downloaded the Trustix Firewall, so I'm contemplating a triple-decker sandwich consisting of a Cisco 1720, a SonicWall Pro 230, and Trustix Firewall. Yeah, I know...It's ultra-paranoid to think you would need such a setup, but I fugured what the hey!

    What I envison is the Cisco 1720 being directly connected to the internet, with the private interface being connected to the SonicWall. From there, the SonicWall's VPN and LAN interfaces will go to a Catalyst on seperate VLANS with a Trustix box running Snort on each VLAN.

    On the VLAN connected to the SonicWall's LAN port, I'll connect the Trustix Firewall, which will be the perimeter firewall for the LAN. The firewall rules will start out granular at the router, and get tighter and tighter as you move down.


    What do you guys think? Anyone else out there ever attempt something so crazy? Just wanted to get you guy's feedback.
    Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.


  2. #2
    0_o Mastermind keezel's Avatar
    Join Date
    Jun 2003
    Posts
    1,024
    It's not so crazy. My box at school is behind 3 firewalls. I have a personal firewall, then the firewall on the router in my room that my computer and my roomates' computers connect to, and then the firewall for the school LAN on the server that everyone on the school network has to go through to access the 'net. Most people I know would still say that one properly configured firewall is better than a dozen that are mis-configured or left wide open.

    Sounds like you have a different setup though... Let us all know what you find with your experiments.

  3. #3
    Senior Member Godsrock37's Avatar
    Join Date
    Jan 2005
    Location
    PA
    Posts
    121
    just for curiosity's (spelled that wrong) sake what are u firewalling? If its a school or business i could understand but a home network?!!?! i dont know maybe im behind the times (i dont think so) but that sounds a little overkill, lol, well have fun and hopefully it all works really well

  4. #4
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Unfortunately, three firewalls are worse than one. The extra firewalls actually increase the surface area of the system rather than decrease it, consequently the insecurities compound based on each firewalls assurance difference from 100%.

    To simplify:

    If firewall 1 = 99% assured (this is greatly simplied but bear with)

    The systems firewalls are 99% assured.

    If firewalls 2 and 3 are also 99% assured.

    The systems firewalls are now 99% of 99% of 99% or ~97%... because each firewall compromise will compromise the entire system. (traffic can be manipulated at any point)

    cheers,

    catch

  5. #5
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    I'd have to agree with catch's math..

    Atleast if it is a 'parallel' system which I seem to read here.. (sandwich) and the way you tell it..

    Perhaps an image (chart) of the system would be helpfull in understanding what you are actualy doing..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  6. #6
    0_o Mastermind keezel's Avatar
    Join Date
    Jun 2003
    Posts
    1,024
    So catch, assuming that the school's firewall that I'm behind sucks (which it does), then are you saying that could make my computer more vulnerable than if I were only behind one good firewall?

  7. #7
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Atleast if it is a 'parallel' system which I seem to read here.. (sandwich) and the way you tell it..
    There really is no way to mitigate this assuming all the firewalls are protecting the same systems. (without a really messed up architecture anyhow) Since each firewall would process all/nearly all of the traffic.

    So catch, assuming that the school's firewall that I'm behind sucks (which it does), then are you saying that could make my computer more vulnerable than if I were only behind one good firewall?
    You want to have the exact minimum controls to meet your needs and nothing more.

    cheers,

    catch

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •