OK.
For a good primer on Two Sample Firewall architecture, refer to "Building
Internet Firewalls" 1st ed. by Brent D. Chapman and Elizabeth Zwicky
Chapter 9 pages 321 -349 (inclusive)
I would like to correct Bill's statement below, the issue with most of the
firewalls deployed is the ease of misconfiguration, and the administrative
overhead of complicating a simple architecture with lots what about this or
what about that. Firewall architecture is one piece of an overall network
security architecture.
The diagram illustrated below appears to be a standard WatchGuard drop-in
configuration. Refer to WatchGuard Security System User's Guide for a
detailed explanation. As the poster states that they replacing the
WatchGuard with a FW-1 for NT.
So therefore very easily setup a "Belt and Suspenders" security
architecture given the equipment listed below.
Please refer to Bellovin and Cheswick for the full explanation of a Belt
and Suspenders architecture
hope this helps..
/m
At 12:51 PM 7/12/00 -0400, [EMAIL PROTECTED] wrote:
>Simon,
>
>The answer depends on what you are trying to achieve. If you are doubling
>the firewalls for redundancy or bandwidth reasons then scenerio one is the
>right choice. If you are looking for a more secure environment then
>scenerio two may be the better option. I've designed and evaluated sites
>with both configurations and to be honest, I find little difference in the
>security profiles between a single firewall with an external, DMZ and
>Internal interface and a scenerio two type configuration with two separate
>firewalls.
>
>Most firewalls failures are do to misconfigurations and firewalls with
>three (or more) interfaces are more complex to configure which can lead to
>mistakes and vulnerabilities. Good luck for your endeavor.
>
>Bill Stackpole, CISSP
>
>
>
>[EMAIL PROTECTED]
>Sent by: [EMAIL PROTECTED]
>
>07/12/00 01:56 AM
>
> To: [EMAIL PROTECTED]
> cc:
> Subject: Firewall placement and the DMZ...
>
>Hi,
>
>I was hoping some of you would be able to give me your opinions on how I
>should proceed in my firewall placement strategy.
>Here is some detail on our current setup:
>
>Firewall = Watchguard firebox II.
> - [LAN]
>[Internet] - [Router] - [Firewall] ---
> - [DMZ]
>
>We will be replacing the Watchguard with Checkpoint Firewall-1 running on
>NT (I know about NT, but this is what the business wants). I will be
>wanting to implement 2 firewalls but I have yet to decide whether to go for
>fault tolerance, or to place the secondary firewall between the DMZ and the
>LAN:
>
>Scenario1 (Fault tolerance)
> - [LAN]
>[Internet] - [Router] - [Firewall x 2] ---
> - [DMZ]
>
>Scenario 2
>[Internet] - [Router] - [Firewall] - [DMZ] - [Firewall] - [LAN]
>
>Scenario2 ( higher security)
>
>Your suggestions will be greatly appreciated.
>
>Regards
>
>Simon
>
>
>
>
>**********************************************************************
>If you are not the intended recipient of this e-mail and have received it
>in error, you are on notice that the e-mail and any attached files are
>confidential. Please notify us immediately by reply e-mail and then delete
>this message from your system. Please do not use, distribute, copy or
>take any action in reliance on it as to do so could be a breach
>of confidence. The sender does not accept any responsibility for any
>loss, disruption or damage to your data or computer system which may occur
>whilst using data contained in, or transmitted with, this e-mail. Thank
>you for your co-operation. If you need assistance, please contact
>Maritz Ltd - tel.: +44 (0)1628 486011 or e-mail: [EMAIL PROTECTED]
>**********************************************************************
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
