[Dshield] Back to Multiple Firewalls

dsb@rlx.com dsb at rlx.com
Tue Mar 19 05:37:49 GMT 2002


From: Stephane Grobety [mailto:security at admin.fulgan.com]
> RR> O.K., that's one for and one against Multiple Firewalls.
>
>Well, I personally like to use two different layers: on border
>firewall, and one workstation firewall. Add a good IDS and you're
>packed :)

Responding to the original question, IMHO (and that of many others on the
net) is that a layered approach is generally the best security posture.
Having multiple layers including products (opensource or not) from multiple
vendors minimizes your exposure should a vulnerability be found in one of
the layers.  You see this most commonly reflected in a corporate environment
as a border router which does basic ACL-based screening, and then a firewall
which runs a more complex ruleset, and does (hopefully) stateful packet
inspection.

At home, I see a lot of recommendations such as a broadband router, and then
perhaps a host-based firewall such as that offered by XP, ZA, ...

Generally, unless you're dealing with the performance of a T3 or above,
you're not dealing with levels of traffic which will be heavily effected by
having multiple layers.

[..snip..snip..]

>Hum. Might I ask why you want to control outgoing connection ?? There
>are valid reasons to do so (like filtering anything that goes to the
>double-click domain) but it seems out of focus for a personal firewall
>(if you have been trojanized, it's already too late).

For users with a fixed "real" IP space, one Really Good Idea(tm) is to
perform egress filtering--that is allowing only outbound traffic sourced
from one of your legitimate IP addresses.  This prevents you (you, your
users, or someone who has managed to intrude upon your well being ;)  ) from
spoofing outgoing packets.  A very good practice indeed, and one recommended
in the SANS firewall courses that I've attended.

Another good reason is to simply be more aware of what traffic you are
sending out.  It's a great way to nail an unknown piece of spyware, or
anything else doing something that you don't know about.  Never hurts to
know about something.

RR> It passed four independent audits and Gibson's Leak Test.If it ain't
RR> broke - don't fix it they say...just wondered XP or ZA augmented each
RR> other - no effect, or possible risk effect with both.

Again, responding to the original post here, just because you pass it now,
doesn't mean that that nifty piece of software you decide to install
tomorrow won't leak something.  

>Well, I personally see the "more might not always be better" effect.
>If you have ONE effective firewall, adding a second one will, most
>likely, just double the configuration/maintenance efforts which, in
>turns, will reduce actual security. If you add to that the increased
>difficulty in maintaining logs from two different sources (no syslog
>here)...

Valid consideration IMHO.  If you can afford to support it, then do.  If
not, don't.  Just be aware of the compromise that you're making.  As long as
you go into the decision knowing what tradoffs are there you'll be able to
make an educated decision, at least.

[..snip..snip..]

RR> Since I have a tie going - need one
RR> more vote.  Thanks.

ObMyVote: layered good.



-db

Dave Brookshire
RLX Technologies, Inc.
email: dsb at rlx.com




More information about the list mailing list