2 FW's serial

Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

Hi
_____
| |
<-----Internet--->| FW1 |<-----DMZ LAN---->| FW2 |<----internal net---->
|_____|
my boss had the idea to buy 2 cheap Firewalls (Pix 501) instead of
Pix 515 with DMZ. The DMZ server would be place into the LAN between.
THe first one would do NAT as well as the second one. The requirement
is to be able to do VPN.

Good or bad idea?
Please give me some strong reasons against this funny idea.
 
Archived from groups: comp.security.firewalls (More info?)

bjoho wrote:

> _____
> | |
> <-----Internet--->| FW1 |<-----DMZ LAN---->| FW2 |<----internal net---->
> |_____|

> my boss had the idea to buy 2 cheap Firewalls (Pix 501) instead of
> Pix 515 with DMZ. The DMZ server would be place into the LAN between.
> THe first one would do NAT as well as the second one. The requirement
> is to be able to do VPN.

You will encounter severe problems with VPN tunnels
running series firewalls, pretty sure. I believe
encryption problems will be encountered and conflicts
with each firewall recognizing commands to create
a VPN tunnel. Not positive on this but seems logical.

You might consider using a transparent (bridging)
firewall for your FW1 firewall. A transparent
firewall would perform a majority of the work
preventing common attacks and should not mess with
your VPN tunnel coming out of your second system.

Netscreen offers a series of firewalls with an
ability to operate in a transparent mode.

I am not sure you will realize any significant
benefit by running two firewalls in series.


Purl Gurl
 
Archived from groups: comp.security.firewalls (More info?)

Why do both need to NAT?

Depending on the Network addressing, the Internet one may be the only one
required to NAT.

As others have mentioned, it's normal to do this, however one may want to
consider an alternate vendor for the 2nd.
Might give you a bit of a break if there was a vulnerability in one box, the
1st may catch it, etc.


"bjoho" <b.joho@hunkeler.ch> wrote in message
news:141dd10d.0404260557.4cd9b223@posting.google.com...
> Hi
> _____
> | |
> <-----Internet--->| FW1 |<-----DMZ LAN---->| FW2 |<----internal net---->
> |_____|
> my boss had the idea to buy 2 cheap Firewalls (Pix 501) instead of
> Pix 515 with DMZ. The DMZ server would be place into the LAN between.
> THe first one would do NAT as well as the second one. The requirement
> is to be able to do VPN.
>
> Good or bad idea?
> Please give me some strong reasons against this funny idea.
 
Archived from groups: comp.security.firewalls (More info?)

"Purl Gurl" <purlgurl@purlgurl.net> wrote in message
news:408D3870.9784292D@purlgurl.net...
> bjoho wrote:
>
> > _____
> > | |
> > <-----Internet--->| FW1 |<-----DMZ LAN---->| FW2 |<----internal net---->
> > |_____|
>
> > my boss had the idea to buy 2 cheap Firewalls (Pix 501) instead of
> > Pix 515 with DMZ. The DMZ server would be place into the LAN between.
> > THe first one would do NAT as well as the second one. The requirement
> > is to be able to do VPN.
>
> You will encounter severe problems with VPN tunnels
> running series firewalls, pretty sure. I believe
> encryption problems will be encountered and conflicts
> with each firewall recognizing commands to create
> a VPN tunnel. Not positive on this but seems logical.
>
> You might consider using a transparent (bridging)
> firewall for your FW1 firewall. A transparent
> firewall would perform a majority of the work
> preventing common attacks and should not mess with
> your VPN tunnel coming out of your second system.
>
> Netscreen offers a series of firewalls with an
> ability to operate in a transparent mode.
>
> I am not sure you will realize any significant
> benefit by running two firewalls in series.
>
>
> Purl Gurl



Good points.

I would suspect it would depend on who initiated the tunnel, inside or out
as well as what type of VPN was used (SSL, IPSEC, PPTP, etc).

One major benifit from having two, is to use two different vendors, it may
provide some extra protection if a vulnerability is found in one Firewall or
the other.
 
Archived from groups: comp.security.firewalls (More info?)

Hi,

bjoho <b.joho@hunkeler.ch> wrote:
> THe first one would do NAT as well as the second one. The requirement
> is to be able to do VPN.

VPN from where to where?

> Good or bad idea?

Usually a good idea.

> Please give me some strong reasons against this funny idea.

Funny? Nope. Classic architecture 😉

Greetings,
Jens
 
Archived from groups: comp.security.firewalls (More info?)

On Mon, 26 Apr 2004 06:57:58 -0700, bjoho wrote:

> Hi
> _____
> | |
> <-----Internet--->| FW1 |<-----DMZ LAN---->| FW2 |<----internal net---->
> |_____|
> my boss had the idea to buy 2 cheap Firewalls (Pix 501) instead of
> Pix 515 with DMZ. The DMZ server would be place into the LAN between.
> THe first one would do NAT as well as the second one. The requirement
> is to be able to do VPN.

You may have a problem with VPN, as IPSec does not like NAT at all. This
could be solved if at least one of the firewalls runs in bridging
(transparent) mode.

> Good or bad idea?

Much better than a single firewall with a "DMZ". You are lucky to have a
knowledgeable boss.

> Please give me some strong reasons against this funny idea.

To each his own sense of humor. This a classical setup, and more secure
than a single firewall. For bonus points use different manufacturers
(or at least models) for the two firewalls.
--
Mailman
 
Archived from groups: comp.security.firewalls (More info?)

Not-My-Real-Name wrote:

> Good points.

Wrong.

> I would suspect it would depend on who initiated the tunnel, inside or out
> as well as what type of VPN was used (SSL, IPSEC, PPTP, etc).

As long as the VPN-tunel(s) terminate(s) at the inner gateway, there are no
problems at all. Of course you need public (routable) IP addresses for the
DMZ machines and the external interface of the inner gateway, The setup
with the DMZ beeing placed between two screening packet filters is a very
classic architecture, actually that setup is older than the 3-leg DMZ
setup.

Nevertheless I'd not recommend using 501 'playgroud' boxes for that boxes.
Once these small boxes see some real traffic, they are lost. Use some free
Uni*x machines for that pupose.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind.
from 'Not one of us', (c) 1980 Peter Gabriel
 
Archived from groups: comp.security.firewalls (More info?)

"Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
news:c6jqrh$o3e$1@news.shlink.de...
> Not-My-Real-Name wrote:
>
> > Good points.
>
> Wrong.
>
Huh?
What did you disagree with specifically? The fact that he may encounter
problems with VPN depending on what the setup/situation is? Don't like his
idea on transparent bridging firewall? Don't like Netscreen?
All options are on the table at this point, his and your crystal balls are
equally clear IMO.



> > I would suspect it would depend on who initiated the tunnel, inside or
out
> > as well as what type of VPN was used (SSL, IPSEC, PPTP, etc).
>
> As long as the VPN-tunel(s) terminate(s) at the inner gateway, there are
no
> problems at all. Of course you need public (routable) IP addresses for the
> DMZ machines and the external interface of the inner gateway, The setup
> with the DMZ beeing placed between two screening packet filters is a very
> classic architecture, actually that setup is older than the 3-leg DMZ
> setup.
>

Without knowing the real details of this environment, it's hard to say what
would our wouldn't work on this network for VPN.

>.. 'playgroud'

;-)
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom