>> I am at present configuring a firewall using Firewall-1 software.
>> whereas SUN seems to recommend the following scenario
>> | ftp & |
>> | http |
>> | server |
>> --------- |
>> |packet | ----|-----
>> internet---|filtering|------|firewall-1|-----Internal network
>> |router | |gateway |
>> |_________| |__________|
>> which would require the purchase of a third network card for the gateway
>> I would be grateful for your comments on these two configurations.
There are several potential advantages of the solution that Sun proposes.
They may or may not be of interest in your situation....
1. FireWall-1 can be configured so that the ftp/http server cannot
initiate any connection into either the internal network or back to the
Internet (to stage an attack to somewhere else). In other words,
compromising the ftp/http server does not decrease the security of the
2. If the ftp/http server is compromised, it still cannot be used for
packet-sniffing or address-spoofing or connection-highjacking or other
attacks on your internal network.
3. All activity too and from the ftp/www server can be logged by
FireWall-1. Yes, the ftp/http server can generate its own logs, but a
successful attacker can edit them to cover his tracks. The FW-1 logs
provide an independent record.
4. The FireWall-1 gateway can be configured to allow the (normally
difficult-to-secure) protocols like nfs and rlogin from the internal side.
This can be useful for managing the server.
5. The FireWall-1 gateway can be configured to allow trusted users on the
Internet to be authenticated by one-time-passwords. These authenticated
users could then be given additional access privileges to the ftp/http
server (e.g. remote support by sub-contractors, or after hours). This
traffic could be encrypted and decrypted by FireWall-1.
In summary, this solution provides more in-depth security, and more scope
for later expansion.
- I assume you're using a Sparc platform for FireWall-1. These come with
a single built-in ethernet, so you're going to have to buy another card to
get the second interface anyway. The additional cost of a Sun
quad-ethernet Sbus card over a single-ethernet Sbus card is only a couple
of hundred dollars. If you're using an Intel platform with Solaris-X86,
the cost of the additional ethernet interface is even less. Compared to
the cost of the entire setup, this seems miniscule.
- I suspect that your Internet provider would prefer that you have a
dedicated router at your end of the WAN connection instead of a
general-purpose computer. If both you and your ISP used Cisco routers, for
example, you could do Cisco-specific things like HDLC and maybe IGRP.
(although most ISPs won't want to talk IGRP to their customers anyway, I
suspect.) In addition, it would separate the routing from the security
issues which would simplify troubleshooting....
Disclaimer: My company designs, sells, and installs FireWall-1 based
security systems, among other things.
net Network Systems Engineer +1 713 513 3017
Omnes - A Schlumberger/Cable & Wireless Company http://www.omnes.net/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The true mark of intelligence is to learn from the experiences of others.