Firewall Wizards mailing list archives
RE: New FW architecture? (was RE: Time for a new FWTK?)
From: "Stout, William" <StoutW () pios com>
Date: Mon, 01 Dec 1997 15:57:56 -0500
(Forgive my ramblings). I believe this is natural evolution of the firewall architecture (Note that I did not say proxy server). IMNSO - It's inane to force all the possible protocol filtering requirements of a corporation onto one box, especially if one user exposes the entire corporation to a new unproven protocol. 'The Internet' is a collection of compartmented networks. For easier to manage and monitor security, you can compartmentalize networks further with additional firewalls. However the only way that one could manage the security of a large number of firewalls is to delegate some of the authority and decisions to departments, and monitor them centrally. If we forced a 'DMZ backbone' on corporations they'd puke, due to the need to completely redesign their network architecture. So let's compact it. Collapse the backbone into a switch. Rack of proxy servers. Security management station. Multiport IDS box. Dynamic rules. Direct access requirement for privileged admin, remote access for departmental admin. 'Spanning tree' or loop detection (to prevent cross-departmental lines). Here: To management ---------- bus/net -> x---| FW & IDS| | Mgt Sys | Monitor +----------| |--->other places as required port -> | ---------- ----------- x---| | | |---------| FW-a |---------Department a (MIS) | 'VPN' | ---------- | Switch | x---| |---------Department b | |---------| FW-b | | | ---------- | |---------| | |Collapsed| x---| FW-c |---------Department c |backbone | ---------- | 'DMZ' |---------| |---------Department d ----------- x---| FW-d | ...etc... | ---------- +----------| (weak) | | FW-I |--->Internet ---------- The IDS and management station could potentially be combined. With enough horsepower, the group could be combined into a single system running multiple O.S. partions. (Gee, this almost looks like a IBM SP system). It would be interesting if the IDS system could control the DMZ switch. It would be interesting if the FWs were also IDS probes (clients). One could rename 'Department' to 'zone' so one could visualize 'zoning' the corporation by building, location, etc, rather than divide it along departmental lines. The Internet firewall could be more than one for high bandwidth/failover needs. BTW - I do like the idea of making the IS department an internal ISP. That potentially opens a whole new competitive market of service providers who might be able to provide better service than an IS department. Bill Stout PS - John McDermott's idea of CI, DI, OI nomenclature is good, but I get confused too easily by multiple terms.
Current thread:
- RE: New FW architecture? (was RE: Time for a new FWTK?) Stout, William (Dec 01)
- <Possible follow-ups>
- RE: New FW architecture? (was RE: Time for a new FWTK?) Ted Doty (Dec 03)
- RE: New FW architecture? (was RE: Time for a new FWTK?) Stout, William (Dec 03)
- RE: New FW architecture? (was RE: Time for a new FWTK?) Safier, Adam (GEIS) (Dec 08)
- RE: New FW architecture? (was RE: Time for a new FWTK?) Stout, William (Dec 09)
- RE: New FW architecture? (was RE: Time for a new FWTK?) Safier, Adam (GEIS) (Dec 11)