[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Firewall placement and the DMZ...

To: SGriffin@maritz.co.uk
Subject: Re: Firewall placement and the DMZ...
From: William.Stackpole@predictive.com
Date: Wed, 12 Jul 2000 12:51:31 -0400
Cc: Firewalls@Lists.GNAC.NET


    [ Part 1, Text/PLAIN  85 lines. ]
    [ Unable to print this part. ]


Simon,

The answer depends on what you are trying to achieve.  If you are
doubling the firewalls for redundancy or bandwidth reasons then scenerio
one is the right choice.  If you are looking for a more secure
environment then scenerio two may be the better option.  I've designed
and evaluated sites with both configurations and to be honest, I find
little difference in the security profiles between a single firewall with
an external, DMZ and Internal interface and a scenerio two type
configuration with two separate firewalls.

Most firewalls failures are do to misconfigurations and firewalls with
three (or more) interfaces are more complex to configure which can lead
to mistakes and vulnerabilities.  Good luck for your endeavor.

Bill Stackpole, CISSP
 



SGriffin@maritz.co.uk
Sent by: firewalls-owner@Lists.GNAC.NET

07/12/00 01:56 AM
       
        To:        Firewalls@lists.gnac.net
        cc:        
        Subject:        Firewall placement and the DMZ...

Hi,

I was hoping some of you would be able to give me your opinions on how I
should proceed in my firewall placement strategy.
Here is some detail on our current setup:

Firewall = Watchguard firebox II.
                   - [LAN]
[Internet] - [Router] - [Firewall] ---
                   - [DMZ]

We will be replacing the Watchguard with Checkpoint Firewall-1 running on
NT (I know about NT, but this is what the business wants). I will be
wanting to implement 2 firewalls but I have yet to decide whether to go
for
fault tolerance, or to place the secondary firewall between the DMZ and
the
LAN:

Scenario1 (Fault tolerance)
                        - [LAN]
[Internet] - [Router] - [Firewall x 2] ---
                        - [DMZ]

Scenario 2
[Internet] - [Router] - [Firewall] - [DMZ] - [Firewall] - [LAN]

Scenario2 ( higher security)

Your suggestions will be greatly appreciated.

Regards

Simon




**********************************************************************
If you are not the intended recipient of this e-mail and have received it
in error, you are on notice that the e-mail and any attached files are
confidential. Please notify us immediately by reply e-mail and then
delete
this message from your system.  Please do not use, distribute, copy or
take any action in reliance on it as to do so could be a breach
of confidence.  The sender does not accept any responsibility for any
loss, disruption or damage to your data or computer system which may
occur
whilst using data contained in, or transmitted with, this e-mail.  Thank
you for your co-operation.  If you need assistance, please contact
Maritz Ltd -  tel.:  +44 (0)1628 486011 or e-mail: helpdesk@maritz.co.uk
**********************************************************************
-
[To unsubscribe, send mail to majordomo@lists.gnac.net with
"unsubscribe firewalls" in the body of the message.]

Prev by Date: securemote with activecard and radius
Next by Date: Re: Firewall placement and the DMZ...
Prev by thread: Re: Firewall placement and the DMZ...
Next by thread: Re: Firewall placement and the DMZ...
Index(es):
- Date
- Thread