Verily, at 10:54 AM 3/8/96 MST, Greg Woods did write:
>> >I don't see much sense in putting application gateways and packet
>> >filters in the same box, or hooking them up in parallel. If the
>> >networks in question needs the degree of separation provided by an
>> >application gateway, then you're dilluting the effect by letting a
>> >filtered packet flow in along with it.
>> Agreed. Putting different levels of security in parallel will ensure
>> that the weaker of the two will be used to bypass the stronger security.
>Doesn't this depend on what your company's security policy is and how
>much risk you're willing to accept?
I think you missed my point. To requote myself:
"Putting different levels of security in parallel will ensure that
the weaker of the two will be used to bypass the stronger security."
The above statement is a fact & basic tenet of Network Security. It
has nothing to do with how your company implements Information Security
or what risks you are willling to take.
>As Brent's book points out in the
>security policy chapter, for many of us, adopting a policy that
>requires us to build a completely impregnable firewall is not
For starters, there is no such thing as a completely impregnable firewall.
The fact that many applications & protocols present large security risks
means that the job of providing secure, worry-free communications to/from
the Internet is almost impossible. We are in fact stuck with TCP/IP and
numerous insecure applications (Java made news recently about this). The
purpose of a firewall is to protect your company's networks as much as
possible - helping to *minimize* (not eliminate) the risks in connecting
to the Internet. Security is never 100%. Never has, never will be.
Case in point - the CIA has a very tight security environment - and yet
they had Ames. (This isn't a slam against the CIA, just an illustration
that perfect security doesn't exist).
>But not being able to install perfect security doesn't mean
>that we should do nothing to protect ourselves.
I wasn't advocating that. Fortified Networks specializes in helping
companies achieve high levels of Information Security which are
user-friendly, virually non-intrusive to business operations, and
as inexpensive as possible. I am sure that there is a secure solution
which will best match your company's needs. (I would prefer to discuss
this off-line, however).
>Example: we have an
>application that needs to be accessed from some ATM WAN links at FDDI
>speeds. We can't have it go through a gateway host because it's too
>slow. So we punch a hole in the packet filter to allow connections to
>this one host from the outside, and take steps to secure that host.
>Isn't that better than just abandoning security altogether?
It's a start. However, there are important pieces of the puzzle which
are missing. Is the application business-critical? Do the links go to
external entities (vendors, providers, etc.)? What has been done to
secure the application & the systems it runs on? What is the impact of
a compromise in the application, the system it runs on, or the networks
on which the application resides? What constitutes a "minimal risk" for
your organization? What is your comfort level with this minimal risk?
(These questions are rhetorical & food for thought - and not something
which should be aired in a public forum.)
Each organization has its own unique level of security requirements.
Plugging the NSA's security policies & environment into a university's
infrastructure is a recipe for disaster. (You'd have a student &
faculty revolt on your hands very quickly - and/or would experience a
sudden migration (stampede) from your university to another one.) 8^)
Plugging a university's security policies & environments into the NSA's
infrastructure would also be a recipe for disaster.
>at least one case where it does make sense to have a packet filter in
>parallel with an application gateway. Yes, we know it weakens security,
>but we know exactly how much and we willingly choose to accept the
You have to decide what is best for you and what risks your organization
is willing to live with. FWIW, if you can't provide adequate security
on the connections, you might want to consider beefing up the auditing
of the results of the application & the systems ir runs on. Further,
you might also want to increase your monitoring of the traffic going
through the connection, the application, & the system. Throwing in a
landmine system or two (which will scream for help if they are probed
in order to detect intruders on your network) whose hostname and IP
address are defined in the application systems network database wouldn't
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
Fortified Networks Inc. - Information Security Consulting
Phone: (317) 573-0800 - http://www.fortified.com
Home of the Free Internet Firewall Evaluation Checklist