Concerning:
>> I am at present configuring a firewall using Firewall-1 software.
[...]
>> whereas SUN seems to recommend the following scenario
>>
>>
>>
>>
>> --------
>> | ftp & |
>> | http |
>> | server |
>> |________|
>> --------- |
>> |packet | ----|-----
>> internet---|filtering|------|firewall-1|-----Internal network
>> |router | |gateway |
>> |_________| |__________|
>> which would require the purchase of a third network card for the gateway
>> machine.
>>
>> I would be grateful for your comments on these two configurations.
>
There are several potential advantages of the solution that Sun proposes.
They may or may not be of interest in your situation....
1. FireWall-1 can be configured so that the ftp/http server cannot
initiate any connection into either the internal network or back to the
Internet (to stage an attack to somewhere else). In other words,
compromising the ftp/http server does not decrease the security of the
internal network.
2. If the ftp/http server is compromised, it still cannot be used for
packet-sniffing or address-spoofing or connection-highjacking or other
attacks on your internal network.
3. All activity too and from the ftp/www server can be logged by
FireWall-1. Yes, the ftp/http server can generate its own logs, but a
successful attacker can edit them to cover his tracks. The FW-1 logs
provide an independent record.
4. The FireWall-1 gateway can be configured to allow the (normally
difficult-to-secure) protocols like nfs and rlogin from the internal side.
This can be useful for managing the server.
5. The FireWall-1 gateway can be configured to allow trusted users on the
Internet to be authenticated by one-time-passwords. These authenticated
users could then be given additional access privileges to the ftp/http
server (e.g. remote support by sub-contractors, or after hours). This
traffic could be encrypted and decrypted by FireWall-1.
In summary, this solution provides more in-depth security, and more scope
for later expansion.
Other comments:
- I assume you're using a Sparc platform for FireWall-1. These come with
a single built-in ethernet, so you're going to have to buy another card to
get the second interface anyway. The additional cost of a Sun
quad-ethernet Sbus card over a single-ethernet Sbus card is only a couple
of hundred dollars. If you're using an Intel platform with Solaris-X86,
the cost of the additional ethernet interface is even less. Compared to
the cost of the entire setup, this seems miniscule.
- I suspect that your Internet provider would prefer that you have a
dedicated router at your end of the WAN connection instead of a
general-purpose computer. If both you and your ISP used Cisco routers, for
example, you could do Cisco-specific things like HDLC and maybe IGRP.
(although most ISPs won't want to talk IGRP to their customers anyway, I
suspect.) In addition, it would separate the routing from the security
issues which would simplify troubleshooting....
Disclaimer: My company designs, sells, and installs FireWall-1 based
security systems, among other things.
Don
pollock @
houston .
omnes .
net Network Systems Engineer +1 713 513 3017
Omnes - A Schlumberger/Cable & Wireless Company http://www.omnes.net/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The true mark of intelligence is to learn from the experiences of others.
-------------------------------------------------------------------------
|
|
