Firewall Wizards mailing list archives
Re: DMZ Building Practice
From: Holger Kipp <holger.kipp () alogis com>
Date: Thu, 17 Jan 2002 09:36:07 +0100
Brad_MacQuarrie () maritimelife ca wrote:
I have a question which may be more philosophy that engineering but here goes: What have folks most often embraced as the best practice in building a DMZ'd infrastructure: multiple, two-interface firewalls between DMZs or a single firewall with mulitple interfaces forming the DMZs. I realize that cost likely owns the lion's share of this decision but other considerations would be helpful as well.
I wouldn't consider this a philosophical question ;-) The general setup could be seen as something like: I left out intrusion detection systems (IDS). (INTERNET) | | +----------------------------------------+----... | | [Firewall A1]-----(DMZ1) [Firewall A2]----(DMZ4) | | | | | +-------(DMZ2) | +------(DMZ5) | | +-------------(DMZ3) +---... | | [Firewall B]------(internal LAN1)-----[Dial-In] <- Staff | | | | | +-------(internal LAN2)-----[Dial-In] <- Other companies | | | +----------(internal LAN3)-----[Dial-Out] -> Other companies | +-------------(internal LAN4) "standard security" | | [Firewall C]------(internal LAN5) "high security" | ... ------------------------- (internal LANx) "highest security" (no connection to other LANs) of course every single LAN could also be divided into several sections with the use of Firewalls. Depending on what is needed (services like smtp, snmp, http, pop3, imap, telnet, ftp, ssh, authentication via SecureID, Kerberos,...) the firewalls can be anything between state-based packet filters and full-scale application gateways. Using dedicated Firewalls makes configuration much easier and also improves security (if one Firewall is compromised (eg A1), the others are still working correctly). The additional costs for a commercial firewall might force companies to collapse several firewalls into one with several network adapters. As long as the firewall is not compromised and the filter configuration is correct, there is not much difference in security IMHO. I'd say it is all a matter of money and the companys security policy: the cost of protecting the internal data should not exceed the value of this data. Proper administration of firewalls, virus scanners etc. is also expensive, as well as the physical protection: if cleaning personel can enter the server room without authentication, what's the advantage of top of the notch firewall equipment? Regards, Holger -- Holger Kipp, Dipl.-Math., Systemadministrator | alogis AG Fon: +49 (0)30 / 43 65 8 - 114 | Berliner Strasse 26 Fax: +49 (0)30 / 43 65 8 - 214 | D-13507 Berlin Tegel email: holger.kipp () alogis com | http://www.alogis.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- DMZ Building Practice Brad_MacQuarrie (Jan 16)
- Re: DMZ Building Practice Holger Kipp (Jan 17)