| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] Multi-tier Firewall topology
>From my point of view this config has no sense at all.
If you have _proper_ config - even a single Cisco router with IOS/FW
can secure you in mosty situations.
If not - nothing will help, even a dozen PIX/FW1's...
To say more, most of the security breaches typically come from _inside_.
Security is not just hw/sf combination - that's the way of thinking.
BTW, if you wanna the _best_ security solution - just cut the cable :-)
No network - no problems....
Regards,
Eugene
---------------------------
Eugene Nesterenko, CCIE #5283, CCSE, CCNP+Security, CCDP, MCSE
-----Original Message-----
From: Scott Schindler
To: Goetz, Jarrett; Paul Murphy
Cc: [email protected]
Sent: 5/8/01 7:25 AM
Subject: RE: [FW1] Multi-tier Firewall topology
As someone that would happily sell you all this equipment, I would be
happy to recommend your configuration. As someone with a security
background, I would not recommend this in any way. Firewalls are meant
to stop low to medium skilled attacks. If someone can attack you at the
application layer or with a new virus your configuration does nothing to
prevent the attack. Instead implement one firewall well and IDS and
anti-virus. If most companies in the Fortune 100 can get away with 1
firewall per site(HA notwithstanding), you can too.
-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of
Goetz, Jarrett
Sent: Sunday, May 06, 2001 11:53 PM
To: Paul Murphy
Cc: [email protected]
Subject: RE: [FW1] Multi-tier Firewall topology
Importance: Low
Of course it would make it at least a little harder for an attacker to
get in under some circumstances...., as you will be adding a level of
ambiguity and something that doesn't appear to be the norm, which can be
good in many cases. But you need to weigh your opportunity costs of
doing this. Is it worth the cash? Is it worth the additional
management headaches? (patches, management consoles, staff with the
proper expertise, support contract management and costs, etc.)
It all depends exactly how valuable the thing is you are trying to
protect, how hard you want to make your life :), how much money you
have, etc...
Sounds like a lot of fun though, let me know if you come across anything
interesting in your research on this.
Jarrett
-----Original Message-----
From: Paul Murphy [ mailto:[email protected]
<mailto:[email protected]> ]
Sent: Friday, May 04, 2001 05:00
To: [email protected]
Subject: RE: [FW1] Multi-tier Firewall topology
Sure, I oversimplified the diagram to the point that the point was
lost....
Here is a clearer picture:
Internet----FW1----CiscoPIX-----DMZ-----FW1---CiscoPIX---InternalLan
Clearly, the DMZ and Internal LAN could hang off two interfaces of the
first CiscoPIX, and we would have the same topology essentially,
eliminating the second set of firewalls. The topology as shown is for
clarity as my email only allows proportional text so I can only do one
line diagrams effectively (!). And the choice and sequence of vendors
above is just what came to mind, not a proposal.
But I am trying to establish whether back to back firewalls from
different vendors really makes any sense (all other things being equal
such as the DMZ hosts being secure in themselves).
Everything is exploitable of course, and the question is really whether
the first firewall could be exploited in such a way that would make
having the second fw a sensible precaution. So we aren't talking DDoS,
but an exploit where the policy is compromised, or something along those
lines.
This could happen of course. But is it realistic? Has anyone had any
example or indication of such an incidence? From the responses I have
so far, it would appear that back to back firewalls aren't often
employed, and I would like to hear viewpoints from both camps if
possible.
Many thanks,
Paul.
>>> Chris Arnold <[email protected]> 5/3/2001 07:32:40 pm >>>
Actually, everything behind FW and in front of the PIX is a traditional
DMZ.
I personally don't use different vendor FWs but if you're fearful of
exploits or problems with a particular box, this is fine. Be aware of
your
network segments and address space though. I'm not sure how you're
planning
this exactly but FW-1 only routes and does not bridge.
Chris
-----Original Message-----
From: Paul Murphy [ mailto:[email protected]
<mailto:[email protected]> ]
Sent: Wednesday, May 02, 2001 7:28 AM
To: [email protected]
Subject: [FW1] Multi-tier Firewall topology
I am still in two minds about having a two levels of firewall protection
from alternate manufacturers, ie having a Firewall-1 box, then a Cisco
PIX,
then your protected network:
Internet----FW1----CiscoPIX---InternalNet
Has anyone had any experience where this kind of configuration has
proved an
effective deterrent?
Many thanks
Paul Murphy
------------------------------------------------------------------------
----
-----------------------------------------------
CRESTCo Ltd. The views expressed above are not necessarily
those
33 Cannon Street. held by CRESTCo Limited.
London EC4M 5SB (UK)
+44 (020) 7849 0000 http://www.crestco.co.uk
<http://www.crestco.co.uk>
------------------------------------------------------------------------
----
-----------------------------------------------
========================================================================
====
====
To unsubscribe from this mailing list, please see the instructions
at
http://www.checkpoint.com/services/mailing.html
<http://www.checkpoint.com/services/mailing.html>
========================================================================
====
====
========================================================================
========
To unsubscribe from this mailing list, please see the instructions
at
http://www.checkpoint.com/services/mailing.html
<http://www.checkpoint.com/services/mailing.html>
========================================================================
========
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
