Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DMZ Building Practice

From: Holger Kipp <holger.kipp () alogis com>
Date: Thu, 17 Jan 2002 09:36:07 +0100
Brad_MacQuarrie () maritimelife ca wrote:


I have a question which may be more philosophy that engineering but here
goes:  What have folks most often embraced as the best practice in building
a DMZ'd infrastructure:  multiple, two-interface firewalls between DMZs or
a single firewall with mulitple interfaces forming the DMZs.  I realize
that cost likely owns the lion's share of this decision but other
considerations would be helpful as well.


I wouldn't consider this a philosophical question ;-)

The general setup could be seen as something like:
I left out intrusion detection systems (IDS).

(INTERNET)
    |
    |
    +----------------------------------------+----...
    |                                        |
[Firewall A1]-----(DMZ1)               [Firewall A2]----(DMZ4)
    |     |                                  |   |
    |     +-------(DMZ2)                     |   +------(DMZ5)
    |                                        |
    +-------------(DMZ3)                     +---...
    |
    |
[Firewall B]------(internal LAN1)-----[Dial-In] <- Staff
    |  |  |
    |  |  +-------(internal LAN2)-----[Dial-In] <- Other companies
    |  |
    |  +----------(internal LAN3)-----[Dial-Out] -> Other companies
    |
    +-------------(internal LAN4) "standard security"
    |
    |
[Firewall C]------(internal LAN5) "high security"
    | ...

-------------------------

(internal LANx) "highest security" (no connection to other LANs)

of course every single LAN could also be divided into several
sections with the use of Firewalls. Depending on what is needed
(services like smtp, snmp, http, pop3, imap, telnet, ftp, ssh,
authentication via SecureID, Kerberos,...) the firewalls can be
anything between state-based packet filters and full-scale
application gateways.

Using dedicated Firewalls makes configuration much easier and also
improves security (if one Firewall is compromised (eg A1), the others
are still working correctly).

The additional costs for a commercial firewall might force companies
to collapse several firewalls into one with several network adapters.
As long as the firewall is not compromised and the filter configuration 
is correct, there is not much difference in security IMHO.

I'd say it is all a matter of money and the companys security policy:
the cost of protecting the internal data should not exceed the value
of this data. Proper administration of firewalls, virus scanners etc.
is also expensive, as well as the physical protection: if cleaning
personel can enter the server room without authentication, what's
the advantage of top of the notch firewall equipment?

Regards,
Holger

-- 
Holger Kipp, Dipl.-Math., Systemadministrator  | alogis AG
Fon: +49 (0)30 / 43 65 8 - 114                 | Berliner Strasse 26
Fax: +49 (0)30 / 43 65 8 - 214                 | D-13507 Berlin Tegel
email: holger.kipp () alogis com                  | http://www.alogis.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: