Firewall Wizards mailing list archives
Re: Screening Router as a firewall
From: Kevin <kkadow () gmail com>
Date: Thu, 24 Mar 2005 14:20:50 -0600
On Thu, 24 Mar 2005 15:37:57 +0200, Shimon Silberschlag <shimons () bll co il> wrote:
Having a request for at least 2 firewalls protecting internet connectivity, would you consider a border router with ACLs as the first firewall, or would you demand to implement ACLs on the router and 2 other "traditional" firewalls?
Can you show a simple ASCII diagram of what you mean by "at least 2 firewalls" and by "protecting internet connectivity"? What threats are being protected against by this design? Are you referring to making internet-accessible servers the "meat" in a firewall sandwich, or just loading up two sets of firewalls back- to-back with crossover cables?
If you select the first option, would simple "packet filter" type ACLs suffice, or would you demand "stateful" ACLs?
A "filter router" on the edge is a good thing. It doesn't count as being a "firewall" but that doesn't mean it isn't useful. You can stop quite a bit of the internet background noise with a few simple stateless ACLs, and with good egress filtering, avoid contributing to the problem.
(I believe Cisco calls its implementation CBAC). If you select the second option, would you demand that the 2 firewalls be of different brand, different technology or can they be the same product?
There's no real benefit to be had in layering two identical but physically distinct firewalls of the same brand and design. The only place you might see this done is where the two sets of firewalls are managed by two independent groups, such as in a B2B connection or a particularly schizophrenic organization.
Can ISA2004 serve as the second, internal facing firewall? Anyone using it as such?
I have a hard time even using "ISA2004" and "firewall" in the same sentence. Kevin Kadow _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Screening Router as a firewall Shimon Silberschlag (Mar 24)
- Re: Screening Router as a firewall Brenno Hiemstra (Mar 30)
- Re: Screening Router as a firewall Kevin (Mar 30)
- RE: Screening Router as a firewall Steve Fletcher (Mar 30)
- <Possible follow-ups>
- Re: Screening Router as a firewall Avishai Wool (Mar 30)
- Re: Screening Router as a firewall vbwilliams (Mar 30)
- Re: Screening Router as a firewall jfvanmeter (Mar 30)