Firewalls: Re: One Router or Two?

Firewalls
(July 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: One Router or Two?
From:	Brent @ GreatCircle . COM (Brent Chapman)
Date:	Thu, 6 Jul 1995 11:18:17 -0800
To:	Mark . Broadbent @ Aus . Sun . COM (Mark Broadbent - Partner Training Manager - Sun Australia), mark_kadrich @ ins . com
Cc:	firewalls @ GreatCircle . COM

At 9:21 AM 7/6/95, Mark .
 Broadbent @
 Aus .
 Sun .
 COM (Mark Broadbent - Partner
Training M wrote:
>My understanding of the use of two routers was that
>they should be from different manufacturers, so that the
>site was not vulnerable to a single security hole that might
>be discovered in any one type of network device.

Yes, that's the theory.  However, they're both filtering routers; even when
done independantly by different vendors, there are going to be a lot of
things that end up being done the same way.  For instance, take a look at
Cisco's recent reported problems with handling of fragmented IP packets
(i.e., artificially tiny fragments and overlapping fragments).  Several
vendors probably have (or had) the same problem, because they'd done their
fragment filtering code in much the same "obvious" way that Cisco did.

>The two routers will require different filter configurations.
>This will reduce the chance that a mis-configuration of filters
>will open a hole into the organisation.

Again, that's the theory.  However, filtering configuration languages for
various platforms are more similar than different.  If someone makes a
mistake in programming one platform (especially if the mistake is more of a
"conceptual" problem, where they don't fully understand the consequences or
implications of something they're doing), the chances are very good that
they'll make the same mistake in configuring the other platform.

Don't get me wrong; I'm not saying "two routers are no more secure than
one".  Two _can_ be more secure than one, but two are not _automatically_
more secure than one; it takes careful consideration and implementation to
make real the potential increases in security of a dual-router
configuration.

FYI, the reason I normally show dual-router configurations in my classes is
because they're simpler conceptually, not necessarily because they're more
secure.  I show one router handling traffic between the perimeter net and
the internal net, and the other router handling traffic between the
perimeter net and the world.  Once we've gone through the dual-router
architecture in some detail, then we discuss an equivalent single-router
architecture as a variation.

-Brent

----------------------------------------------------------------------
For info about the Internet Security Firewalls Tutorial and a schedule
of upcoming dates, please send email to Tutorial-Info @
 GreatCircle .
 COM
----------------------------------------------------------------------
Brent Chapman                                 Great Circle Associates
Brent @
 GreatCircle .
 COM                         1057 West Dana Street
+1 415 962 0841                               Mountain View, CA  94041

Indexed By Date	Previous:	ITAR braindamage From: Marcus J Ranum <mjr @ iwi . com>
Indexed By Date	Next:	TIS Gauntlet Firewall Info.... From: clp2 @ ix . netcom . com (Carol pollard )
Indexed By Thread	Previous:	Re: One Router or Two? From: Mark . Broadbent @ Aus . Sun . COM (Mark Broadbent - Partner Training Manager - Sun Australia)
Indexed By Thread	Next:	Re: One Router or Two? From: ddill @ junix . ju . edu (Daniel Dill)