Great Circle Associates Firewalls
(April 1998)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: The One True Firewall (was Re: Circle o' Spam, etc.)
From: Bennett Todd <bet @ rahul . net>
Date: Fri, 3 Apr 1998 05:21:18 -0800
To: karsus @ geocities . com
Cc: firewalls @ greatcircle . com
In-reply-to: <firewalls . 35231138 . 66E5C96A @ geocities . com>

>[...] in the "professional" world, is there a system (DMZ, proxy,
>app.gateway, packet filter) that is recommended as a good, general
>firewall? I know that it depends on the protected network. But, suppose
>a small corp network.

You will find many opinions out there. Opinions are like [...].

But many people think that a pretty good ``one-size-fits-all'' looks

	inside, protected net <==> screening router <==>
		bastion w/ proxies <==DMZ==> screening router <==> internet

You place ``public'' servers on that DMZ --- WWW and so on. Either or
both of the screening routers can be ``stateful inspection'' packet
filters if you like. Bonus points if you can make the inside screening
router, the bastion, and the outside screening router use completely and
utterly different IP stacks:-).

For a corporate setting, there should be relatively few machines in the
DMZ, and they should be exquisitely tightly secured. The vast majority
of your clients will be on the inside net, and the proxy on the firewall
should be stripping applets.

For something wide open and tolerant like an ISP, the picture looks
exactly the same, but the majority of the big iron is out in the DMZ,
and it's got most of the users so it's not so well secured --- hence you
need to back it up carefully, ring it 'round with alarums (tripwire is
cool. NFR is cool too) and expect to deal with intrusions periodically.

But the ISP should have their business machines --- the ones that track
user payment info, accounts payable, etc. --- on an ``inside'' net
that's protected just like any other business.

If I had to do this today, from scratch, I'd make the inside router a
suitable-size Cisco. IOS is great. I'd probably make the bastion host
either an intel PC or a sparc, running OpenBSD, qmail, and a small
handful of proxies from fwtk. Left entirely to my own devices I'd make
the outside screening router with Red Hat Linux and ipfw, with packet
reassembly enabled (not that the OpenBSD bastion needs any such
coddling, but it might be nice if you put a victim in the DMZ). If cost
were no object or there were some pressure applied to run a commercial
firewall, you can use an FW-1 or a PIX for that outside screening

Of course if you've got a Big site, perhaps with multiple T3s coming in
or better, that outside screening router wants to be something like a
pair of hogged-out Cisco 7513s in HSRP.

This whole concept --- a one-size-fits-all firewall architecture --- is
predicated on the (controversial) belief that the benefit -vs- risk
tradeoffs of various protocols won't end up looking too wildly different
from one organization to the next. There are two gross steps in
protection level, that more-or-less fit the difference in control
between a screening router and an application proxy, and just about any
organization will have need of both levels. Starting with the above Big
Picture, most of the work comes in sketching in the details: exactly
what protocols will be permitted from where to where. That's where all
the negotiation and design comes in.


Indexed By Date Previous: RE: [NTSEC] MS Proxy Server as Firewall?
From: "Berchtold Patrick (GIAPBE)" <giapbe @ gia . ch>
Next: Re: gre and cisco
From: Eric Vyncke <evyncke @ cisco . com>
Indexed By Thread Previous: RE: [NTSEC] MS Proxy Server as Firewall?
From: "Berchtold Patrick (GIAPBE)" <giapbe @ gia . ch>
Next: the spam wars
From: "steplogic @ geocities . com" <steplogic @ geocities . com>

Search Internet Search