Why is my Site Protected by Two Firewalls? Isn't that just ...you know....PARANOID?!

Discussion in 'General Discussion' started by eric_stewart, Feb 13, 2007.

  1. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Keeping to the Breezy! philosophy, this isn't a complete explanation. That said, some of you security types need a way to explain this to the guy in the corner office or your customers or both. You're Dilbert. They are the pointy-haired boss....

    Isn't having two firewalls overkill?
    Having two firewalls between you and the bad guys is just practicing safe net. It gives you the ability to create granular, differentiated policies for devices in the DMZ that is established between the two devices as compared to devices that are in the inside (most secure) security zone of your network. In short, it allows you to create zone based security policies, leveraging on the DoS protection of two firewalls instead of two. This is not a “more is better†statement so much as it is a control issue. For example, if you have a public web server, you could put it in the DMZ between the outer and inner firewalls. On your outside firewall, you could open up full access to the DMZ server from the Internet and the inside firewall will prevent the DMZ server from initiating connections to the inside, trusted network. Thus, a compromised host in the DMZ could not be used to attack your inside network.

    What about a firewall with 3 interfaces?
    The same could be said about a 3-interface firewall (ie: WAN, LAN, DMZ). The RV042, for example (like the one I'm using) allows you the benefit of a separate segment and subnet where you can put your DMZ hosts.. Care must be taken because by default the device in the DMZ *can* initiate a connection to inside hosts *but* this connection establishment is managed and inspected by the stateful firewall. (A PIX or ASA will not allow these connections through without ACLs) This is not necessarily desirable, BUT, the stateful firewall WILL provide protection against DoS as well as common Internet attacks such as FIN Scans, Pings of Death, Teardrop, Smurf, etc. If you're really paranoid, you can, for example, create separate rules on the RV042 (also the RV016, RV082 and WRV54G) which will deny connections being established by the DMZ host to the inside LAN if you want. This will not prevent hosts on the inside LAN (nor the Internet) to establish connections *to* the DMZ and essentially best practices anyway. I have modified the rules on the RV042 so the default behaviour is NOT to allow connections from the DMZ to be initiated into the LAN segment unless there is an explicit rule to allow it. Now I have the best of both worlds.

    What about a firewall with a software DMZ?
    I don’t trust software DMZs The philosophy of a Linksys box (and other SOHO devices such as D-Link, SMC, Netgear, etc.) is that a device that is in the DMZ should have no protection, with the exception perhaps of DoS (Denial of Service) protection. Devices on the Internet should be able to initiate a connection with the device in the DMZ without being blocked. The cynic in me says that this was an early workaround to the problems with non-stateful, simple NAT firewalls where establishing a server "behind" the firewall was problematic at best. Online gamers, and anyone trying to run a server on the Internet would have big issues if the device didn't properly handle inbound connections to these devices. It was easier for manufacturers to just simply say "to heck with this", and create a simple rule where one device could be exposed. Then the rule becomes much simpler...any inbound protocols TCP, UDP, ESP, ICMP, Swahili, Japanese, whatever would be allowed to communicate with this exposed host. Only problem (still) is, the DMZ host is often on the same physical segment and shares the same subnet as other non-DMZ hosts. Compromise the DMZ host and you are now a privileged user on the INSIDE of the security appliance...free to cause mayhem. This isn't as bad as it sounds since most smart people will have a software firewall (Windows XP SP2 Firewall is stateful and not too bad) on the other inside hosts but you never know.... Examples in the Linksys line of this type of DMZ include WRT54G, WRT54GS, WRT300N, WRT350N, WRT54LSGS, WRV200. In the Cisco product line the Cisco PIX 501, 506E and ASA 5505 would be examples.

    This is by no means a complete description but is based on my own experience with these things. This is also, in a nutshell, how I explain the different solutions to my customers.

    webmaster www.breezy.ca <-- check it out
  2. orangekay

    orangekay LI Guru Member

    Hey great make sure and post a new thread full of links to your site every time you make another blog entry. I think I need two pairs of sunglasses to protect my eyes from that technicolor travesty, though.
  3. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    ...says a poster with handle "orangekay" ;-)


    P.S. Registered users can reskin the Breezy! site as part of their user settings. You can leave your sunglasses at home!
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice