Great Circle Associates Firewalls
(January 1995) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Internal firewalls, need for
From: criney1 @ abacus . tis . tandy . com (Chris Riney)
Date: Fri, 27 Jan 1995 14:45:37 -0600 (CST)
To: lavondes @ tidtest . total . fr
Cc: firewalls @ greatcircle . com
In-reply-to: <9501271929 . AA05388 @ tidtest . total . fr> from "Michel Lavondes" at Jan 27, 95 07:29:42 pm 
> 
> D_Bauer%huac @
 MWMGATE1 .
 mitre .
 org wrote :
> > 
> > One of the characteristics of an effective firewall is that ALL traffic--both 
> > internal and external--pass through the firewall.  If the firewall "drops all 
> > packets whose source and destination are both in the internal net", then 
> > wouldn't this prevent the nodes on the internal net from communicating with
> > one another?
> 
> What's the point of having traffic between two internal nodes go through the
> firewall ? Since firewalls exist only to protect trusted nets from untrusted
> ones, if you trust your internal net little enough to have traffic between
> its nodes go through the firewall, IMHO you don't need a firewall in the
> first place. Or am I missing something ?
> -- 
> Michel Lavondes
> E-Mail : lavondes @
 tidtest .
 total .
 fr
>          lavondes%tidtest .
 total .
 fr @
 pegase .
 total .
 fr (if previous addr rejected)
> Tel : +33-1-4135-4198
> Fax : +33-1-4135-4189
> 

I don't know about having ALL internal traffic needing to pass through the
externally connecting firewall, but I can see where having multiple
'Firewalls' is/would be legitimate for a SITE.  I would have to agree that
if the 'Firewall' is seeing both SRC and DST within the same address
range (exspecially on opposite sides of the wall), then there should be
big RED flags being raised.

The 'OTHER' firewalls might insulate different departments from each other
(like R&D from Merchandising), where additional security for that section
is required (even from other persons at that site).  The secondary firewalls
do not even have to be managed by the same group as the Primary Firewall.

In the following picture, systems on the 'Main Net' would only have to
go through a 'FireWall' IF they wanted/needed to get to either the
'Secured Net', or the 'Big Bad Net'.


            [======================================================]
            [              B i g   B a d   N e t W o r k           ]
            [======================================================]
                                       |
                                       |
                                [------------]
                                [ FireWall 1 ]
                                [------------]
                                       |
                                       |
            <------------------------------------------------------>
             |                (Main Internal NetWork)     |   |   |
             |                                           \/   |   |
       [------------]                                        \/   |
       [ FireWall 2 ]                                             |
       [------------]                                            \/
             |
             |                                      {Routers & Other Systems}
      <---------------->
       (secure net)

-- 
Chris Riney                     E-mail: chris .
 riney @
 tandy .
 com 
Tandy Information Services             
Tandy Technology Sqr, Suite 200
Fort Worth, TX 76102             Phone: 817/878-0308; 8:00am-5:00pm CST,Mo-Fr
References:
Indexed By Date Previous: Re: How many firewalls & what IS one?
From: David Miller <isdmill @ gatekeeper . ddp . state . me . us>
Next: Re: Router Configs for firewalls
From: bobk @ manzanita . DEV . 3Com . COM (Bob Konigsberg)
Indexed By Thread Previous: Re: Firewall-1 and TCP Sequence Number Spoofing
From: lavondes @ tidtest . total . fr (Michel Lavondes)
Next: Re: Firewall-1 and TCP Sequence Number Spoofing
From: bobk @ manzanita . DEV . 3Com . COM (Bob Konigsberg)
Google
 
Search Internet Search www.greatcircle.com