Security Basics mailing list archives
RE: Firewall and DMZ topology
From: John Brightwell <brightwell_151 () yahoo co uk>
Date: Thu, 12 Jun 2003 18:54:20 +0100 (BST)
I agree that in many cases a tri-homed system is 'adequately secure' however, I think that a dual firewall implemetation can provide a greater measure of security. They may be more prone to failure than a single firewall - in that the same rule has to be applied to two different firewalls (and different operating systems) which increases the chance that a typo will cause a problem. But if it does fail then it's likely to fail-safe. i.e the new rule will allow traffic through one firewall but the errored firewall will block it. This is one reason why a dual firewall solution is more secure - it's very easy, on a single firewall to mistype an IP address, netmask or port number (or get the source and target mixed up) - but making the same mistake twice on two different firewalls is more unlikely. With a two firewall solution you can have different administrators for each firewall (if you have sufficient resources) so that any change requires two separate brains to be involved. It also stops a single admin being able to open ports in the perimeter security for their own purposes. There's also a slight increase in security through having two firewalls (if they are a different make or base OS) because an exploit on one may not be exploitable on the other... Having said all that I've installed single, multi-homed firewalls plenty of times for the cost and convenience. It depends what you're protecting Previous message .... I'm comming into this discussion a little late, and have browsed through most of the thread and agree with most of the statements made. Through out my experience in the security field and a vast study of firewalls and dmz's i have come to the conclusion that a tri-homed system (utilizing nat) in the long run is the easiest and cheapest way to go, and i do believe that it is as secure as a two firewall system approach due to the fact of human failure. Meaning having two firewalls with two different rule sets on two diffrent systems will open up a greater risk of human failure within the managing of the systems. Brandon __________________________________________________ Yahoo! Plus - For a better Internet experience http://uk.promotions.yahoo.com/yplus/yoffer.html --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- Re: nmap for windows, (continued)
- Re: nmap for windows Vic Parat (NSS) (Jun 12)
- RE: nmap for windows Zekeriya Eskiocak (Jun 12)
- Re: nmap for windows Chris Gioran (Jun 12)
- Re: nmap for windows 59cobalt (Jun 12)
- RE: Firewall and DMZ topology David J. Jackson (Jun 11)
- RE: Firewall and DMZ topology Storment, Brandon (Jun 11)
- Re: Firewall and DMZ topology Chris Berry (Jun 11)
- IDS question [was: Re: Firewall and DMZ topology] Steve Bremer (Jun 12)
- RE: Firewall and DMZ topology Mann, Bobby (Jun 11)
- RE: Firewall and DMZ topology Chris Berry (Jun 11)
- RE: Firewall and DMZ topology John Brightwell (Jun 12)
- RE: Firewall and DMZ topology Chris Berry (Jun 21)