Mouss,
#setting up multiple (good) firewalls (one behind the other) limits the
#attacker choice.
#I agree. but to what extent is this the good choice considering that many
#firewalls cost
#many money. Isn't it sufficient to hve one FW and watch it carefully?
Given
#that vulnerabilities
#cannot be completely eliminated, by 1 FW or by more, what is the
precentage
#of vulnerabilties
#idea. The purpose
#is to see whether setting up an additionnal FW is worth the cost.
Ahhh, but it doesn't necessarily have to be another firewall. If I
set up reflexive ACLs on the router between my firewall and the Internet
and reflexive ACLs on my internal routers that is giving me extra lines of
defense without requiring me to purchase more products. I could also go
with a commercial firewall like Firewall-1 and a free firewall like
IPFilter on OpenBSD this would give me two lines of defense at the cost of
an extra server (multiple servers if I am doind load balancing). The
commercial firewall should satisfy upper management (God forbid we
implement something that didn't cost a penny :-))and OpenBSD satisfies the
extra lines of defense that I want. You can do this with a minimal cost
increase.
#- I said that adding a new element to the chain may weaken it, and haven't
#been clear enough.
#I agree that this should be rare. An example: consider a setup of 2 FWs,
#where the internal
#one has an "unknown" vulnerability, so the security admin doesn't know it.
#suppose that an attacker
#can use this vulneabiility to get a shell on this FW. Then he will be able
#to freely surf the internal network.
#Yes, there are many "suppositions" here, but this is definitely possible.
You should have to penetrate the first line of defense before you can
penetrate the second line of defense. In your example they must have
gotten past the first firewall before they can use an exploint on the
second. If you only had the first firewall then the attack would have
succeeded in the first step rather than requiring a seond step. The
important thing is to make sure that all of your lines of defense are not
vulnerable to the same attack. If someone can get through Reflexive ACLs
on a router, two different firewalls and reflexive ACLs on my internal
routers and then gain root on a UNIX database server without using any
script kiddie stuff and without using the same attack against all of my
lines of defense then that person is pretty darn smart.
Regards,
Jeffery Gieser
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
