Hi
If all you have is a FW1 which separates different security segments, and
the Fortigate IPS is just intended for the Public DMZ, I rather choose
another scheme, since in your first scheme you have the IPS to catch many
"Internet garbage" that can be contained at the firewall. In your second,
you put a double point of failure for your Public DMZ to internal servers &
users (I assume there should be a little communication, at least for admin
issues). Plus, according to your NAT preferences, by enabling a GW in the
Fortigate, you'll lose the "stealth mode" (if not, please let me know).
So I would take this scenario:
CLOUD INTERNET
|
|
DMZ (2) ---- FW1 ---- Fortigate IPS (Stealth) -------- Public DMZ
|
|
DMZ(1)
Here, one firewall is correctly separating 4 different security-level
subnets. Then, the fortigate is having the IPS funcionality for the
migration you're planning to do, and then you have double-layer access
control for the public services you give to the world, yet controlling the
rest of your internal network. Additionally, you leverage the IPS
performance by setting up the Firewall before the IPS, thus filtering at
first all unnecessary services at the firewall and then inspecting the
accepted traffic.
From my POV, I rather have double-layer secured all those published services
than all the internal services which are denied from giving services to the
world. That doesn't mean you have to low down the Internal security, we're
just talking about Perimeter Security, you may think on IPS, HIPS, Personal
FW, some NAC, 802.1x, RSA and so on for the DMZ(1) and DMZ(2) areas.
If your fortigate can have multiple segments wired , consider use 3 pair of
ports, one for each segment between a DMZ and the FW.
HTH
OA
_____
From: Angel Alonso Párrizas [mailto:parrizas@gmail.com]
Sent: Martes, 02 de Mayo de 2006 11:28 a.m.
To: firewalls@securityfocus.com
Subject: Two levels of firewalls
Hello all:
I need your advice about a firewall configuration with two levels of them.
In our organization we have a first level of FWs, fortigate 800, that
mainly are working such IPS (it is configurated is stealth mode, like a
bridge).
In the second one, there is a FW1 separating the differents DMZ zones. There
are 3 DMZ behind the FW1 which manage the traffic between them and with the
outside (Internet). Also the FW1 does NAT.
There is one DMZ zone with a very high (1) level of security, and other one
with a medium level (2) of security and the third is a public DMZ with all
the public services like WEB servers.
OUTSIDE
|
fortigate (IPS in stealth mode)
|
PUBLIC DMZ ..... FW1-----DMZ (2)
|
..DMZ(1)
I would like to know if it is a good configuration to move the DMZ Public to
a fortigate Interface, and to make the NAT in the first FW fortigate for
the hosts in public DMZ. So the configuration will be:
OUTSIDE
|
fortigat -----Public DMZ
|
FW1-----DMZ (2)
|
...DMZ(1)
Which topology will you do with two levels of firewalls?
Thanks in advance.
--
Angel Alonso Párrizas
parrizas@gmail.com <mailto:parrizas@gmail.com>
CCNA, SSP-MPA
___________________________________
"La libertad no es algo negociable"
