Mikael Olsson wrote:
>
> Am I the only one on this list who thinks that a "classic"
> DMZ with public servers between the firewall and the Internet
> router is a Bad Idea(tm)?
Depends on your requirements and what you have to work with. I've worked
with sites that get too much traffic on their public Web server to want
to let it pass through their firewall. The best fit was to bastion the
servers and throw them off a second Ethernet port on the border router.
This prevents sniffing while also stopping the performance degradation
of passing through a firewall.
Of course if you do not have a second Ethernet port to work with, your
only option may be on the DMZ.
> To me, it seems that you're just making it a lot easier for
> attackers to steal connections between the internal network
> and the Internet, and being PITAs in general. I personally
> feel alot safer to have public hosts on a 3rd NIC.
The third NIC keep attackers from sniffing outside your firewall but IMO
they could do this just as easily on your ISP (maybe easier depending on
the ISP ;). If you are truly worried about the security of the traffic
leaving your firewall, encrypt it.
With that said, the more firewalls I play with the more I'm convinced
that there is less of a gap between a Cisco router running Reflexive
filters and a $15K firewall package than most people think. A proper
bastion will only offer the ports you need (TCP/80 for HTTP for
example). Most firewalls do exactly the same thing (block all ports but
TCP/80). True, an app proxy keeps the two ends from connecting directly,
but most filtering & proxy products on the market today do very little
to screen actual content. Even if you can do some content filtering its
not as efficient as locking down the host itself.
So the third NIC thing is cool if you are unable to lock down the host
itself. Beyond that, it doesn't buy you much. I seem to remember a
thread on Wizards where Marcus stated that NRF does not even use a
firewall to protect the domain, that has to tell you something. ;)
> Heck, if you rely on your border router to "screen" things
> for you and do logging, you might aswell disregard all the
> logs as corrupted, since they (usually?) pass right past
> the very same hosts that might be corrupted (Thinking
> ARP spoofing, etc etc etc ...)
Thinking switching or alternate port logging. ;)
IMHO there are some things that are easier to do on a router than on a
firewall. Dropping broadcast mapping from layers 3 to 2 comes to mind.
Also, while most OS's will drop source routing, you need to recompile
the kernel to do it. On a router this is a three or four word command.
Egress filtering is also best done on a router (IMO).
I also like to use a router from blocking out all the "noise". For
example most environments see 3-4 ping sweeps a day. I know I don't have
time to follow up on them all so I would rather not see them in my logs.
Better to /dev/null the garbage and let your firewall only log what is
truly "interesting".
> Granted, if you can't trust your firewall to be able to provide
> "services" to your public hosts on a separate NIC, you might
> not want to have these hosts there. But, if this is true,
> isn't that kind of a crappy firewall? *flame shield on*
For me, this is more of a "do I want to put all my eggs in one basket"
kind of question. I have *not* coded or built from scratch any of the
firewalls I use. Even if I did I would not rely on my coding abilities
to be 100% perfect. With this in mind, I can't see relying on a single
security solution to guard my perimeter if a risk analysis shows my
threat level to be anything above rock bottom. Just because you paid the
equivalent of a Mustang convertible for that shiny new firewall does not
mean that its 100% perfect. Better to hedge you bets and leverage the
other security solutions you have available. Layered security is a good
thing. I caught a few "crappy" firewalls this way myself. ;)
Cheers,
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
