External/DMZ/Internal with two firewalls?

External/DMZ/Internal with two firewalls?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
External/DMZ/Internal with two firewalls? te 03-22-2006
Posted by on March 22, 2006, 7:45 am
If you were  Registered and logged in, you could reply and use other advanced thread options
This is the first time I have seen this and I was curious on the
feedback on this configuration...

I'm at a new gig and they have their network setup with two external
firewalls (active/passive) for redundancy, then their DMZ, then another
pair of firewalls before getting into the Internal network.

I have always just seen one set of firewalls, not two. It has made
trouble shooting a complete nightmare, because they do double NAT'ing.

I have read a thing or two that "maybe" this might be something you
would do if you used two different vendors to protect against a 0-day
exploit, but it seems a little odd to me.

I just thought I would ask the experts.

Thanks


Posted by Leythos on March 22, 2006, 7:56 am
If you were  Registered and logged in, you could reply and use other advanced thread options
te@ivorypetal.com says...
> This is the first time I have seen this and I was curious on the
> feedback on this configuration...
>
> I'm at a new gig and they have their network setup with two external
> firewalls (active/passive) for redundancy, then their DMZ, then another
> pair of firewalls before getting into the Internal network.
>
> I have always just seen one set of firewalls, not two. It has made
> trouble shooting a complete nightmare, because they do double NAT'ing.
>
> I have read a thing or two that "maybe" this might be something you
> would do if you used two different vendors to protect against a 0-day
> exploit, but it seems a little odd to me.
>
> I just thought I would ask the experts.

You have as many layers of firewall as you determine you need. While a
1:X NAT can have issues, they could implement 1:1 NAT on the first
firewall, or maybe you should just ask the Network admins why they did
it that way.

--

spam999free@rrohio.com
remove 999 in order to email me

Posted by Ansgar -59cobalt- Wiechers on March 22, 2006, 10:30 am
If you were  Registered and logged in, you could reply and use other advanced thread options
te@ivorypetal.com wrote:
> This is the first time I have seen this and I was curious on the
> feedback on this configuration...
>
> I'm at a new gig and they have their network setup with two external
> firewalls (active/passive) for redundancy, then their DMZ, then
> another pair of firewalls before getting into the Internal network.

It's a common setup.

> I have always just seen one set of firewalls, not two.

That's another common setup.

> It has made trouble shooting a complete nightmare, because they do
> double NAT'ing.

I fail to see the problem.

> I have read a thing or two that "maybe" this might be something you
> would do if you used two different vendors to protect against a 0-day
> exploit,

Exactly. It's very unlikely that two different firewalls (preferrably
running on different hardware platforms as well) are vulnerable to the
same 0-day exploit, thus raising the bar for an attacker who tries to
get into the LAN.

> but it seems a little odd to me.

I fail to see why.

cu
59cobalt
--
"If you think technology can solve your security problems, then you
don't understand the problems and you don't understand the technology."
--Bruce Schneier

Posted by Don Kelloway on March 22, 2006, 10:51 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> This is the first time I have seen this and I was curious on the
> feedback on this configuration...
>
> I'm at a new gig and they have their network setup with two external
> firewalls (active/passive) for redundancy, then their DMZ, then another
> pair of firewalls before getting into the Internal network.
>
> I have always just seen one set of firewalls, not two. It has made
> trouble shooting a complete nightmare, because they do double NAT'ing.
>
> I have read a thing or two that "maybe" this might be something you
> would do if you used two different vendors to protect against a 0-day
> exploit, but it seems a little odd to me.
>
> I just thought I would ask the experts.
>
> Thanks
>


It may offend some, but in my experience I've come to know a single firewall
supporting multiple interfaces as a 'Modern DMZ' whereas having two or more
firewalls inline with each other is what is/was referred to as a
'Traditional DMZ' with the network in between known as the perimeter
network.

--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your Security
on the Internet".



Similar ThreadsPosted
Firewalls November 12, 2004, 12:58 pm
Firewalls November 12, 2004, 6:37 pm
Win XP SP2 & Firewalls November 22, 2004, 12:33 pm
DSM-320 & firewalls November 26, 2004, 12:57 am
too many firewalls? November 29, 2004, 10:27 pm
Too much firewalls? February 23, 2005, 8:29 pm
firewalls March 21, 2005, 11:52 am
Pix and ISA firewalls May 18, 2005, 6:55 pm
Firewalls and AOL August 20, 2005, 3:02 pm
Too many firewalls? November 12, 2005, 5:06 pm

The site map in XML format XML site map

Contact Us | Privacy Policy