I have received many, MANY responses to this issue. Perhaps I should clarify a
bit more. I am aware of the ability for Firewall-1 (and others) to establish
additional subnets emanating from the firewall. My client is concerned (I think
correctly) that this might present a dual performance hit on a single firewall
as external HTTP traffic hits the wall from one end and Electronic Commerce
traffic is passed from the WWW server (again hitting the same firewall) to the
internal network. (the performance of one firewall is a real issue at this
client and a second one is being considered but it would operate in a parallel
architecture to the previous one, not supplementing the security before the
router)
My original question stands: My preference is for a second internal firewall in
front of the internal router. My client is convinced that their internal router
will suffice as a second firewall. This router supposedly has so many
'properly' configured rules as to protect itself. My concerns are:
1. Denial of service from a compromised WWW server to the router can paralyze
internal traffic.
2. The router does not have good audit trail capabilities and it would not be
easy for external auditors to review ("are these new rules in the table really
necessary?")
3. Additional rules slow a router down at a linear rate.
My primary concern here is how well a router can protect itself. Though
suggestions for different network architectures are appreciated, I assure you
that I have considered many if not most of them. Any additional help would be
appreciated.
Dan Salenger
Deloitte & Touche LLP
dsalenger @
dttus .
com
my last message was:
I am working with a client that has the following configuration:
{Internet}--[ISP]--[Firewall-1]-[WWW server]-[router]--[internal net]
Due to prior conversations and observations from this list, I consider
WWW servers to be less than secure. Though I promote the
Dual-Firewall DMZ approach, I am uncertain about the dependence that
my client may be placing on the router (as a second firewall) in this
diagram.
To add detail:
- The primary firewall will allow HTTP, HTTPS, and SMTP inbound
- Only HTTP and HTTPs will be allowed to the web server from the
Internet.
My train of thought is that if the WWW server is compromised
(Firewall-1 does not seem to look at the 'insides' of the HTTP packet
traffic to look for harmful commands and buffer overflows, etc...)
then an attacker would have a launching point for the next phase of
the attack which would be against the router. Any thoughts or
opinions concerning this situation? Thank you for any assistance.
Dan Salenger
Deloitte & Touche LLP
dsalenger @
dttus .
com
P. Joseph Hoopfer
Systems Engineer
CheckPoint Software
joeh @
us .
checkpoint .
com
810 673-1952
|
|
