>the firewall in this case only supports encrypted tunneling,
>the pipe (link) between the two firewalls is completely
>transparent to the hacker and provides absolutely no protection
>against the hacker from setting up shop on your network.
(much more good stuff omitted)
The traditional nework worldview is for "internal" and "external" networks
with bastions and DMZs being special cases of "external". For some time I
have been pushing for a third category that seems necessary for real
world considerations: the "limited exposure network" or "LEN".
Frank's examples point out this need. Basically for "internal" we need no
formal protection except in special cases - can be left up to the users &
local admins. External we assume to be populated by hackers/crackers/A6s/
things that go bump and is not to be trusted at all.
For companies competing in the modern world, there is a need for secure
communications with semi-trusted partners, those we trust with access to
certain areas but not with the keys to the wineceller.
*Every* program I have delt with in the last year has had similar needs &
the only viable option I see is for a LEN.
You can divide it up easily: for internal network, information is freely
available. Where restriction is needed for a node, a single protection
layer is adequate (login/password) with the understanding that covert
channel (sniffers) attacks will work.
For external networks my rule is "tell me three times". Single fail safe,
dual fail safe, takes three different failures to breach security with the
hope that I will notice one of the first two before the third occurs (I
do not count the minefields except as warning devices).
Logically then a LEN will suffice with two, the third being the contractual
agreement with the remote site as a condition for connection. Single-fail-safe
takes care of the condition Frank refers to and my rule is that such
connections use either securely encrypted links (40 bit keys are no
stronger than compression) or Telco provided PNS (Protected Network Services).
The second stage is router/firewall enforced access only to trusted nodes
(i.e. properly administered and I define what "properly" means) on trusted
subnets. Using defined protocols. For the interested, there is a way in which
NFS can be made "acceptable" - in general there is nothing wrong with the
protocol itself, just the other services traditionally available on an NFS
machine often conceal vulnerabilities.
Thus I feel that one layer of protection is sufficient internally, two for
LENs, and three for "the world". It works for me.