Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Two levels of firewalls

from [Joel Jose] Network Security [Permanent Link]
Subject: Re: Two levels of firewalls
Date: Thu, 4 May 2006 17:32:28 +0530 
yes. i conccur with Omar's suggestion. The point to be noted is that
except in the one Omar emphasised the IPS would get all the junk's and
wouldnt be considered a clean situation. I dont know about most of
you, I could easily find out the IPS(unstealth it), if you put it in
the gateway for me ;). Think of it in another way, A successful
attacker is more likely to first break into the gateway than
otherwise. Ofcourse he will be looking at the gateway hoping to find
the first point of weakness(relative weakness), in that process if he
gets to a better (more silly) weakness he will turn his attention
towards it; Unless that happens its mostly the gateway thats the first
focus. So having your IPS in your gateway(in stealth mode) wont give
you that much advantage than posting in your website that you have an
IPS in the first place!!!

joel.

On 5/4/06, Omar Salvador Alcalá Ruiz <oalcala@scitum.com.mx> wrote: 

Hi

If all you have is a FW1 which separates different security segments, and
the Fortigate IPS is just intended for the Public DMZ, I rather choose
another scheme, since in your first scheme you have the IPS to catch many
"Internet garbage" that can be contained at the firewall. In your second,
you put a double point of failure for your Public DMZ to internal servers &
users (I assume there should be a little communication, at least for admin
issues). Plus, according to your NAT preferences, by enabling a GW in the
Fortigate, you'll lose the "stealth mode" (if not, please let me know).

So I would take this scenario:

        CLOUD INTERNET
                     |
                     |
DMZ (2) ----  FW1  ----   Fortigate IPS (Stealth) --------  Public DMZ
                     |
                     |
                 DMZ(1)

Here, one firewall is correctly separating 4 different security-level
subnets. Then, the fortigate is having the IPS funcionality for the
migration you're planning to do, and then you have double-layer access
control for the public services you give to the world, yet controlling the
rest of your internal network. Additionally, you leverage the IPS
performance by setting up the Firewall before the IPS, thus filtering at
first all unnecessary services at the firewall and then inspecting the
accepted traffic.

From my POV, I rather have double-layer secured all those published services
than all the internal services which are denied from giving services to the
world. That doesn't mean you have to low down the Internal security, we're
just talking about Perimeter Security, you may think on IPS, HIPS, Personal
FW, some NAC, 802.1x, RSA and so on for the DMZ(1) and DMZ(2) areas.

If your fortigate can have multiple segments wired , consider use 3 pair of
ports, one for each segment between a DMZ and the FW.

HTH

OA

 ________________________________

From: Angel Alonso Párrizas [mailto:parrizas@gmail.com]
Sent: Martes, 02 de Mayo de 2006 11:28 a.m.

To: firewalls@securityfocus.com
Subject: Two levels of firewalls


Hello all:

I need your advice about a firewall configuration with two levels of them.

In our organization we have a first level of FWs, fortigate 800,  that
mainly are working such IPS (it is configurated is stealth mode, like a
bridge).
In the second one, there is a FW1 separating the differents DMZ zones. There
are 3 DMZ behind the FW1 which manage the traffic between them and with the
outside (Internet). Also the FW1 does NAT.

There is one DMZ zone with a very high (1) level of security, and other one
with a medium level (2) of security and the third is a public DMZ with all
the public services like WEB servers.

                        OUTSIDE
                              |
                          fortigate     (IPS in stealth mode)
                              |
PUBLIC DMZ  ..... FW1-----DMZ (2)
                              |
                               ..DMZ(1)


I would like to know if it is a good configuration to move the DMZ Public to
a fortigate Interface,  and to make the NAT in the first FW fortigate for
the hosts in public DMZ. So the configuration will be:


OUTSIDE
     |
     fortigat -----Public DMZ
     |
     FW1-----DMZ (2)
     |
     ...DMZ(1)


Which topology will you do with two levels of firewalls?


Thanks in advance.






--
Angel Alonso Párrizas
parrizas@gmail.com

CCNA, SSP-MPA

___________________________________
"La libertad no es algo negociable"





--
As soon as men decide that all means are permitted to fight an
evil, then their good becomes indistinguishable from the evil
that they set out to destroy.
                     - Christopher Dawson, The Judgment of Nations

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Two levels of firewalls, Angel Alonso Párrizas
Next by Date:  MAC in list that cannot be deleted, valentinousn
Previous by Thread:  RE: Two levels of firewalls, Omar Salvador Alcalá Ruiz
Next by Thread:  MAC in list that cannot be deleted, valentinousn
Indexes:  [Date] [Thread] [Top] [All Lists]