Of course it would make it at least a little harder for an
attacker to get in under some circumstances...., as you will be adding a level
of ambiguity and something that doesn't appear to be the norm, which can be
good in many cases. But you need to weigh your opportunity costs of
doing this. Is it worth the cash? Is it worth the additional
management headaches? (patches, management consoles, staff with the proper
expertise, support contract management and costs, etc.)
It all depends exactly how valuable the thing is you are
trying to protect, how hard you want to make your life :), how much money you
have, etc...
Sounds like a lot of fun though, let me know if you come
across anything interesting in your research on this.
Jarrett
-----Original Message-----
From: Paul
Murphy [mailto:[email protected]]
Sent: Friday, May 04, 2001 05:00
To:
[email protected]
Subject:
RE: [FW1] Multi-tier Firewall topology
Sure, I oversimplified the diagram to the point that the point
was lost....
Here is a clearer picture:
Internet----FW1----CiscoPIX-----DMZ-----FW1---CiscoPIX---InternalLan
Clearly, the DMZ and Internal LAN could hang off two
interfaces of the first CiscoPIX, and we would have the same topology
essentially, eliminating the second set of firewalls. The topology as
shown is for clarity as my email only allows proportional text so I can only
do one line diagrams effectively (!). And the choice and sequence of
vendors above is just what came to mind, not a proposal.
But I am trying to establish whether back to back firewalls
from different vendors really makes any sense (all other things being equal
such as the DMZ hosts being secure in themselves).
Everything is exploitable of course, and the question is
really whether the first firewall could be exploited in such a way that would
make having the second fw a sensible precaution. So we aren't talking
DDoS, but an exploit where the policy is compromised, or something along those
lines.
This could happen of course. But is it realistic?
Has anyone had any example or indication of such an incidence? From the
responses I have so far, it would appear that back to back firewalls aren't
often employed, and I would like to hear viewpoints from both camps if
possible.
Many thanks,
Paul.
>>> Chris Arnold <[email protected]>
5/3/2001 07:32:40 pm >>>
Actually, everything
behind FW and in front of the PIX is a traditional DMZ.
I personally don't use different vendor FWs but if you're fearful
of
exploits or problems with a particular box, this is
fine. Be aware of your
network segments and
address space though. I'm not sure how you're planning
this exactly but FW-1 only routes and does not bridge.
Chris
-----Original Message-----
From: Paul
Murphy [mailto:[email protected]]
Sent: Wednesday, May 02, 2001 7:28 AM
To: [email protected]
Subject: [FW1] Multi-tier Firewall topology
I am still in two minds about having a two levels of firewall
protection
from alternate manufacturers, ie having a
Firewall-1 box, then a Cisco PIX,
then your protected
network:
Internet----FW1----CiscoPIX---InternalNet
Has anyone had any experience where this kind of configuration
has proved an
effective deterrent?
Many thanks
Paul Murphy
----------------------------------------------------------------------------
-----------------------------------------------
CRESTCo
Ltd.
The views expressed above are not necessarily those
33
Cannon Street. held by CRESTCo
Limited.
London EC4M 5SB
(UK)
+44 (020) 7849
0000 http://www.crestco.co.uk
----------------------------------------------------------------------------
-----------------------------------------------
============================================================================
====
To
unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing
list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================