|
-
July 7th, 2003, 10:41 PM
#11
I'm with sickyourIT. But I'll go along with it bc I haven't gotten sick of answering this one yet  . Lord_Of_Dragons, two of the best *free* firewalls I know of are ZoneAlarm's free version and "Tiny Personal Firewall" (don't let the name fool you). You can get ZoneAlarm at http://www.zonelabs.com/store/conten...eeDownload.jsp and Tiny Personal Firewall at http://www.tinysoftware.com/home/tin...=tpf5-download . Also, there is a thread about ZoneAlarm going on right now at http://www.antionline.com/showthread...hreadid=245735 . Hope this is helpful, but you could probably just search on Google or look through old AO threads and get a faster, better answer.
-
July 7th, 2003, 10:44 PM
#12
Junior Member
Nice read,
'HArd on the outside, soft on the inside' is setting up for failure. One day you single point of defence will fail.
Cheers SoggyBottom.
-
July 8th, 2003, 12:22 AM
#13
'Hard on the outside, soft on the inside
Commonly known as the "Crustacean Architectural Design"... 
SoggyBottom.
[glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]
-
July 8th, 2003, 01:49 AM
#14
Just remember to be careful when doubling up on software firewalls, too often you will see new holes emerge because of incompatabilities when using multiple firewalls on one computer. Hardware firewalls, NAT routers, et cetera, do work good together, and are okay to double, even triple up.
-
July 8th, 2003, 02:50 AM
#15
And it is also advisable when using a multi-tiered hardware/appliance firewall architecture, that you try and mix up the type of firewall you have. (ie. Checkpoint, SideWinder etc...).
The reason being if you have a 2 tier architecture with the same firewalls on each tier, and the internet facing firewall has been compromised due to a vulnerability, chances are the 2nd tier will be susceptible to the same attack.
SoggyBottom.
[glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]
-
July 8th, 2003, 02:10 PM
#16
Catch,
that works in a multiple door system, not in a redundancy system
Incoming
|
Firewall 1 Firewall 2 Firewall 3
\ | /
\ | /
Server
then yes, assurances go down
Incoming
|
firewall 1
|
Firewall 2
|
Firewall 3
this provides redundancy. a hole in firewall 1 that was blocked at firewall 2 would not lower assurances...
unless we are talking about software firewalls as opposed to two different hardware firewall appliances...
(edit - sorry about the incompleteness the first time i posted this. i hit send too early)
i\'m starting to think that i\'m bound to always be the first guy on the second page of the thread.
-
July 8th, 2003, 08:20 PM
#17
Assuming data is being passed, all an attacker need to do is compromise _any_ firewall, dedicated or or otherwise and the attacker controls _all_ the traffic on the system.
Now if you have stacked firewalls like that, how can they have different rules? Firewall 1 allows connections to port 80, but firewall 2 doesn't? Your web admins will love that. The fact is you are still better off with the single firewall to manage your rules, if you wish to use a firewall at all.
Really firewalls are ideal at segregating network traffic and do little to nothing for securing servers (as the firewalls need to allow traffic to the server's points of entry anyhow.)
The a strong hard rule with security is, if you add to a system without altering its functionality, you reduce its security. Really it goes further then that, if you add to a system's surface at all you reduce its security. This is why adding things like labeled security will increase a system's security and why adding things like additional allow discretionary access control, allows does not effect the system's security.
Adding extra firewalls doesn't reduce the surface, passed traffic touches all the stacked firewalls. (not to mention the introduced latency)
catch
-
July 8th, 2003, 08:59 PM
#18
i wasn't necessarily refering to different rules.
assuming that all firewalls do have natural flaws >>GASP<< and that by using differing redundancy, any firewall-specific exploits would be taken care of.
I'm refering to security holes, not misset rules.
i\'m starting to think that i\'m bound to always be the first guy on the second page of the thread.
-
July 8th, 2003, 09:02 PM
#19
I know you are, which is my point, _unless_ the firewalls had different rules, you are not gaining any new functionality, therefore: more = less secure.
catch
-
July 8th, 2003, 09:30 PM
#20
more only = less secure in a parallel instance. i tried drawing that in a text box above, but it didn't work out. see below jpeg.
when run in serial redundancy = more security.
<had to bust out the autocad on this one>
now, read the disclaimer. catch does have a point in that if one firewall is compromised, any network traffic can be seen. on the other hand, if one of the upper layer (fw1 or 2) firewalls is comprimised, the third should still catch most attacks/exploits.
i\'m starting to think that i\'m bound to always be the first guy on the second page of the thread.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote