Re: Screening Router as a firewall

[Kevin <kkadow () gmail com>]

On Thu, 24 Mar 2005 15:37:57 +0200, Shimon Silberschlag
<shimons () bll co il> wrote:
> Having a request for at least 2 firewalls protecting internet connectivity,
> would you consider a border router with ACLs as the first firewall, or would
> you demand to implement ACLs on the router and 2 other "traditional"
> firewalls?

Can you show a simple ASCII diagram of what you mean by
"at least 2 firewalls" and by "protecting internet connectivity"?

What threats are being protected against by this design?

Are you referring to making internet-accessible servers the "meat"
in a firewall sandwich, or just loading up two sets of firewalls back-
to-back with crossover cables?


> If you select the first option, would simple "packet filter" type ACLs
> suffice, or would you demand "stateful" ACLs?

A "filter router" on the edge is a good thing.  It doesn't count as being
a "firewall" but that doesn't mean it isn't useful.  You can stop quite a
bit of the internet background noise with a few simple stateless ACLs,
and with good egress filtering, avoid contributing to the problem.


> (I believe Cisco calls its implementation CBAC).
> If you select the second option, would you demand that the 2 firewalls be of
> different brand, different technology or can they be the same product?

There's no real benefit to be had in layering two identical but physically
distinct firewalls of the same brand and design.  The only place you
might see this done is where the two sets of firewalls are managed by
two independent groups, such as in a B2B connection or a particularly
schizophrenic organization.


> Can ISA2004 serve as the second, internal facing firewall?
> Anyone using it as such?

I have a hard time even using "ISA2004" and "firewall" in the same sentence.

Kevin Kadow
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards