I could add something to what Kennet said...
The firewalls are effective barriers if you put one at the border of
the DMZ and one at the border of the internal network. Not better than
one (thinking about security) if you put the two side by side.
The external firewall restricts access to the DMZ to as few ports and
ethernet addresses as possible (given functional limits dictated by
your requirements).
The internal firewall restricts access to the internal network and -if
required- services (DBMS, etc). The internal firewall assures you that
the packets that need to see these required services are only from the
authorized IP addresses inside the DMZ.
Of course it depends on your needs, but as Kennet says, generally this
is the schema used.
I could add that security is like an onion, several concentric layers,
with multiple devices, better than one, for security -not for
administration or cost- if there are heterogeneous technologies and
several vendors included, better. For example, if your external
firewall is a Cisco PIX, then your internal could be a Firewall-1,
better than another Cisco Pix. If you have no money: If your external
box is BSD with pf, then your internal firewall could be a gnu/linux
box with iptables.
If your work is about security, never take for granted the security of
any device or software, and try to reduce the bottlenecks and isolated
points of failure.
If you have only a firewall and it is cracked, then the security of
your DMZ and of your internal network is compromised (which is a lot
worst).
When a vulnerability appears on one of your firewalls, the existence of
the other allows you the time needed to patch it (and peace of mind).
If the vuln is at the external FW, your risk time window is only for
the DMZ.
Best regards,
Javier Blanque
El 27/10/2004, a las 13:27, Kenneth R Swain II escribió:
> Let me see if I can clear something up.
>
> ----------
> | |
> | | Internet facing firewall
> ---------
>
> DMZ
>
> ----------
> | |
> | | Internal firewall
> ---------
The firewalls are effective barriers if you put one at the border of
the DMZ and one at the border of the internal network. Not better than
one (thinking about security) if you put the two side by side.
The external firewall restricts access to the DMZ to as few ports and
ethernet addresses as possible (given functional limits dictated by
your requirements).
The internal firewall restricts access to the internal network and -if
required- services (DBMS, etc). The internal firewall assures you that
the packets that need to see these required services are only from the
authorized IP addresses inside the DMZ.
Of course it depends on your needs, but as Kennet says, generally this
is the schema used.
I could add that security is like an onion, several concentric layers,
with multiple devices, better than one, for security -not for
administration or cost- if there are heterogeneous technologies and
several vendors included, better. For example, if your external
firewall is a Cisco PIX, then your internal could be a Firewall-1,
better than another Cisco Pix. If you have no money: If your external
box is BSD with pf, then your internal firewall could be a gnu/linux
box with iptables.
If your work is about security, never take for granted the security of
any device or software, and try to reduce the bottlenecks and isolated
points of failure.
If you have only a firewall and it is cracked, then the security of
your DMZ and of your internal network is compromised (which is a lot
worst).
When a vulnerability appears on one of your firewalls, the existence of
the other allows you the time needed to patch it (and peace of mind).
If the vuln is at the external FW, your risk time window is only for
the DMZ.
Best regards,
Javier Blanque
El 27/10/2004, a las 13:27, Kenneth R Swain II escribió:
> Let me see if I can clear something up.
>
> ----------
> | |
> | | Internet facing firewall
> ---------
>
> DMZ
>
> ----------
> | |
> | | Internal firewall
> ---------
[ reply ]