Great Circle Associates Firewalls
(November 1992)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: what shall thy firewall hardware be?
From: Brent Chapman <brent @ GreatCircle . COM>
Date: Mon, 30 Nov 92 18:43:19 -0800
To: Firewalls @ GreatCircle . COM
In-reply-to: Your message of Mon, 23 Nov 1992 21:26:38 +0100

Bill Wohler <wohler @
 sap-ag .
 de> writes:

#   after absorbing the information in "practical unix security" and
#   this list, i'll be creating a firewall of my own (yes, bryan, it
#   appears we're finally going to get an internet connection).  
# 
#   chances are we'll use a cisco router as the choke and an hp 710 as
#   the gate.  however, i'd be interested to hear what people like as
#   chokes and gates--and--what they don't like.
# 
#   just occurred to me that i might not be able to get two network
#   interfaces in the hp 710.  if this is the case, what is the danger
#   in setting up the router so that it only passes traffic from both
#   the external and internal networks only to the gate?  is it better
#   to get a gate that has two network interfaces?

I've built a number of firewalls using a variety of different schemes,
all variations on a theme of packet filtering.

My current favorite scheme involves two Cisco routers (yeah, I know,
mucho $$$$) and a UNIX box.  You arrange things so that the two
routers and the UNIX box are on a dedicated Ethernet (we usually call
this the "exposed net" or "DMZ"), with nothing else on that net.  One
of the routers is also connected to the outside world.  The other
router is also connected to your internal net.

The exterior router guards the internal net and the DMZ from the
outside world.

The interior router guards the internal net from the DMZ and the
outside world.

The host on the DMZ is what the outside world talks to when they want
a SMTP, FTP, DNS, or other server for your site.

You arrange the packet filters on the interior and exterior gateways
so that clients on internal machines can connect to certain servers
(TELNET and FTP satisfy 90-95% of user desires) in the outside world.

You arrange for non-interactive services (such as SMTP, DNS, etc.) to
go out via the host on the DMZ.

You do not allow UDP (except for to/from port 53, for DNS) through the
exterior firewall.

You do not let any of the internal machines trust the DMZ host in any
way (mounting filesystems, .rhosts files, hosts.equiv files, etc.).

You do everything you possibly can to secure the DMZ host.

You don't let users on the DMZ host routinely; this makes it easier to
monitor for illicit use.

Depending on how paranoid you are and what's at stake, you might
impose further restrictions between the DMZ host and the internal
hosts on the interior router.

That, in a nutshell, is how I build firewalls today.  The technology
is constantly changing, though, so I may be doing something different
next week.  Also, I often end up modifying the plan to accomodate a
site's particular constraints (i.e., they can't afford 2 Ciscos, or
they already have another brand of router, or ...).


-Brent
--
Brent Chapman                                   Great Circle Associates
Brent @
 GreatCircle .
 COM                           1057 West Dana Street
+1 415 962 0841                                 Mountain View, CA  94041


Indexed By Date Previous: Re: what shall thy firewall hardware be?
From: Richard Childers <rchilder @ us . oracle . com>
Next: Re: what shall thy firewall hardware be?
From: Brent Chapman <brent @ GreatCircle . COM>
Indexed By Thread Previous: Re: what shall thy firewall hardware be?
From: Richard Childers <rchilder @ us . oracle . com>
Next: Re: what shall thy firewall hardware be?
From: Brent Chapman <brent @ GreatCircle . COM>

Google
 
Search Internet Search www.greatcircle.com