Firewall Wizards mailing list archives
Re: Screening Router as a firewall
From: Avishai Wool <avishai_w () yahoo com>
Date: Sat, 26 Mar 2005 09:40:43 -0800 (PST)
Shimon, here is a long answer to your question. Let's first challenge your premise: what is the purpose of having multiple firewalls in series? Clearly, the reason is the assumption that 2 firewalls are more secure than one. Why should this assumption hold? After all, if the security policy allows some traffic to reach from source to destination - then BOTH firewalls will have the necessary "pass" rules. You need only one of the firewalls to drop unallowed traffic, so you could possibly save duplicating "drop" rules, but this is not giving you any more security. So, I conclude that if both firewalls are correctly enforcing the same policy, their combined filtering effect is identical to having just one - the other one is redundant (read "useless"). Another possible reason for the thought that "2 are better than 1" is "reliability": let's assume that each firewall has a "failure" probability of p, then the probablity of both failing at the same time is p^2, right? wrong! that calculation is correct only if the failure probabilities are _independent_, which most certainly is not the case for 2 firewalls, connected in series, configured by the same staff, with the same power grid, etc etc. their failure probabilities are highly correlated. Moreover, the main reason of firewall "failure" (which means allowing bad traffic through) is poor configuration - see citation [1] below. It's not a power failure or a bug in the vendors code. So duplicating the hardware, even from different vendors, won't buy you the "failure independence" your management is looking for. You might get some independence if you have separate teams configuring the devices - I doubt if many organizations do this, it sounds like operational hell... I can think of only 2 rational reasons to have 2 firewalls. 1. performance: you could get a performance boost if your outer firewall was a fast but "stupid" device: you let it throw away the obvious junk, and let the slower but smarter device work on a lighter traffic load. 2. You want to put machines between the firewalls and form a DMZ. this is fine, and does not contradict my argument from before because the two firewalls are enforcing different policies now. With this analysis in mind, I would say that if you want option #1, then putting filtering access lists on a router in front of the main firewall is a fine solution. If you want option #2 (DMZ), then you want real firewalls both in front and behind the DMZ. I wouldn't "skimp" on the inside firewall because the DMZ could pose as bad a security risk as the "outside". In either case I wouldn't rely on a Microsft ISA: it's running the same OS as many of your internal machines, so it is as vulnerable to malware as those internal machines. This is where failure probability independence does make sense: it's plausible that one vendor's bugs are independent of another. HTH Avishai Reference: [1] A. Wool. A quantitative study of firewall configuration errors. IEEE Computer, 37(6):62-67, 2004. http://www.eng.tau.ac.il/~yash/computer2004.pdf --- Shimon Silberschlag <shimons () bll co il> wrote:
Hello group, Having a request for at least 2 firewalls protecting internet connectivity, would you consider a border router with ACLs as the first firewall, or would you demand to implement ACLs on the router and 2 other "traditional" firewalls? If you select the first option, would simple "packet filter" type ACLs suffice, or would you demand "stateful" ACLs? (I believe Cisco calls its implementation CBAC). If you select the second option, would you demand that the 2 firewalls be of different brand, different technology or can they be the same product? Can ISA2004 serve as the second, internal facing firewall? Anyone using it as such? TIA, Shimon Silberschlag +972-3-9351572 +972-50-7207130 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Avishai Wool, Ph.D., http://www.algosec.com http://www.eng.tau.ac.il/~yash yash () acm org Tel: +972-3-640-6316 Fax: +972-3-640-7095 __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Screening Router as a firewall Shimon Silberschlag (Mar 24)
- Re: Screening Router as a firewall Brenno Hiemstra (Mar 30)
- Re: Screening Router as a firewall Kevin (Mar 30)
- RE: Screening Router as a firewall Steve Fletcher (Mar 30)
- <Possible follow-ups>
- Re: Screening Router as a firewall Avishai Wool (Mar 30)
- Re: Screening Router as a firewall vbwilliams (Mar 30)
- Re: Screening Router as a firewall jfvanmeter (Mar 30)