[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Multi-tier Firewall topology
Sure, I oversimplified the diagram to the point that the point was lost.... Here is a clearer picture: Internet----FW1----CiscoPIX-----DMZ-----FW1---CiscoPIX---InternalLan Clearly, the DMZ and Internal LAN could hang off two interfaces of the first CiscoPIX, and we would have the same topology essentially, eliminating the second set of firewalls. The topology as shown is for clarity as my email only allows proportional text so I can only do one line diagrams effectively (!). And the choice and sequence of vendors above is just what came to mind, not a proposal. But I am trying to establish whether back to back firewalls from different vendors really makes any sense (all other things being equal such as the DMZ hosts being secure in themselves). Everything is exploitable of course, and the question is really whether the first firewall could be exploited in such a way that would make having the second fw a sensible precaution. So we aren't talking DDoS, but an exploit where the policy is compromised, or something along those lines. This could happen of course. But is it realistic? Has anyone had any example or indication of such an incidence? From the responses I have so far, it would appear that back to back firewalls aren't often employed, and I would like to hear viewpoints from both camps if possible. Many thanks, Paul. >>> Chris Arnold <[email protected]> 5/3/2001 07:32:40 pm >>> Actually, everything behind FW and in front of the PIX is a traditional DMZ. I personally don't use different vendor FWs but if you're fearful of exploits or problems with a particular box, this is fine. Be aware of your network segments and address space though. I'm not sure how you're planning this exactly but FW-1 only routes and does not bridge. Chris -----Original Message----- From: Paul Murphy [mailto:[email protected]] Sent: Wednesday, May 02, 2001 7:28 AM To: [email protected] Subject: [FW1] Multi-tier Firewall topology I am still in two minds about having a two levels of firewall protection from alternate manufacturers, ie having a Firewall-1 box, then a Cisco PIX, then your protected network: Internet----FW1----CiscoPIX---InternalNet Has anyone had any experience where this kind of configuration has proved an effective deterrent? Many thanks Paul Murphy ---------------------------------------------------------------------------- ----------------------------------------------- CRESTCo Ltd. The views expressed above are not necessarily those 33 Cannon Street. held by CRESTCo Limited. London EC4M 5SB (UK) +44 (020) 7849 0000 http://www.crestco.co.uk ---------------------------------------------------------------------------- ----------------------------------------------- ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|