[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewall-wizards
Subject:    Re: [fw-wiz] DMZ Building Practice
From:       Holger Kipp <holger.kipp () alogis ! com>
Date:       2002-01-17 8:36:07
[Download RAW message or body]

Brad_MacQuarrie@maritimelife.ca wrote:
> 
> I have a question which may be more philosophy that engineering but here
> goes:  What have folks most often embraced as the best practice in building
> a DMZ'd infrastructure:  multiple, two-interface firewalls between DMZs or
> a single firewall with mulitple interfaces forming the DMZs.  I realize
> that cost likely owns the lion's share of this decision but other
> considerations would be helpful as well.

I wouldn't consider this a philosophical question ;-)

The general setup could be seen as something like:
I left out intrusion detection systems (IDS).

(INTERNET)
    |
    |
    +----------------------------------------+----...
    |                                        |
[Firewall A1]-----(DMZ1)               [Firewall A2]----(DMZ4)
    |     |                                  |   |
    |     +-------(DMZ2)                     |   +------(DMZ5)
    |                                        |
    +-------------(DMZ3)                     +---...
    |
    |
[Firewall B]------(internal LAN1)-----[Dial-In] <- Staff
    |  |  |
    |  |  +-------(internal LAN2)-----[Dial-In] <- Other companies
    |  |
    |  +----------(internal LAN3)-----[Dial-Out] -> Other companies
    |
    +-------------(internal LAN4) "standard security"
    |
    |
[Firewall C]------(internal LAN5) "high security"
    | ...

-------------------------

(internal LANx) "highest security" (no connection to other LANs)

of course every single LAN could also be divided into several
sections with the use of Firewalls. Depending on what is needed
(services like smtp, snmp, http, pop3, imap, telnet, ftp, ssh,
authentication via SecureID, Kerberos,...) the firewalls can be
anything between state-based packet filters and full-scale
application gateways.

Using dedicated Firewalls makes configuration much easier and also
improves security (if one Firewall is compromised (eg A1), the others
are still working correctly).

The additional costs for a commercial firewall might force companies
to collapse several firewalls into one with several network adapters.
As long as the firewall is not compromised and the filter configuration 
is correct, there is not much difference in security IMHO.

I'd say it is all a matter of money and the companys security policy:
the cost of protecting the internal data should not exceed the value
of this data. Proper administration of firewalls, virus scanners etc.
is also expensive, as well as the physical protection: if cleaning
personel can enter the server room without authentication, what's
the advantage of top of the notch firewall equipment?

Regards,
Holger

-- 
Holger Kipp, Dipl.-Math., Systemadministrator  | alogis AG
Fon: +49 (0)30 / 43 65 8 - 114                 | Berliner Strasse 26
Fax: +49 (0)30 / 43 65 8 - 214                 | D-13507 Berlin Tegel
email: holger.kipp@alogis.com                  | http://www.alogis.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@nfr.com
http://list.nfr.com/mailman/listinfo/firewall-wizards
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic