On Mon, Aug 23, 1999 at 04:20:12PM -0700, Corbett Waddingham wrote:
>
> Hello,
>
> Recently, the subject of using quad ethernet cards on firewalls was brought up
> here at work. One person was convinced that this is a Bad Thing(c), because
> someone could compromise the card and get access to the entire network.
> Everyone else (myself included) felt that he was just being overly paranoid,
> and that just keeping the subnets logically seperated would be fine. But I
> thought I would ask the people who be most likely to know.
>
> The card in this case was a Sun Quad Fast Ethernet, the firewall itself was
> an UltraSPARC with Solaris 2.6 and Checkpoint.
Well I've read through the thread and there was some great discussion on MAC
addresses on Suns. But that's not really about firewalls is it?
I don't like the multiple interfaces on the "firewall" approach. The reason is
that if the "firewall" is compromised (if you're using Sun this is fairly
likely) then every segment is now wide open. If you use a screened subnet
architecture with dual packet filters (stateful of not) and appropriate use
of proxy servers in the DMZ then you'll be better off. If one of the filters
is compromised then you don't lose the whole works in one fell swoop.
Actually, you could reduce your risk of this even more if you use different
platforms for the various filters and proxies.
Sure this will cost more, but you have to ask yourself what your risk level
is. Three pronged "firewalls" are cheaper but more risky.
>
>
> Corbett Waddingham
> E-greetings Network Data Wrangler
> 415-536-1861
> http://www.egreetings.com
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
--
Jason Murray - jmurray (at) computer (dot) org
"Against stupidity, the gods themselves contend in vain" - I. Asimov
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
