Firewall Sandwich?

I

infamus

Gawd
Joined
Sep 5, 2006
Messages
681
I am in the middle of implementing a dual firewall solution with a DMZ in the middle. I have a rough idea of how I want it to work but i havent found too many KB articles or documentation for my scenario. Anyone have any helpful hints for me?

Also the soon to be DMZ servers are residing in our VMWare datacenter along with everything else. I have to segregate them from the internal network while being on the same set of switches and SAN.

This is getting complicated and I dont think I'm getting paid enough for it.
 
Why do you want two firewalls, whats wrong with one firewall and configure a port for DMZ, like a ASA 5500 series?

Seperate the server into its own vlan for the dmz
 
My thought as well, you can have 2 firewalls but you would just have one firewall forwarding data to the other and having the same ports open on both so they could talk and let data in and out...
 
I have a rough idea of how I want it to work but i havent found too many KB articles or documentation for my scenario
Click to expand...

That should be a good indication that what you are trying to do is either a) a bad idea b) not a best-practice...
 
While many people will tell you not to use VLANs for security, it can be done, and I've worked in places where it was done for production. IMO if it's done well, you shouldn't have problems. No immediate need for multiple firewalls, but at some point depending on the traffic you are pushing, you may need to re-evaluate your setup. The reason we ended up doing VLANs to segregate prod traffic is the use of a Cisco catalyst 4500 core doing a lot of inter vlan routing, particularly to make use of some load balancing stuff using F5 BigIPs. And yes, just tag the VLANs you need on a trunk to your ESX hosts.
 
k1pp3r said:
Why do you want two firewalls, whats wrong with one firewall and configure a port for DMZ, like a ASA 5500 series?

Seperate the server into its own vlan for the dmz
Click to expand...


let me add more to the story. Wasnt my idea to start with, my boss was told by a few HIPPA pen testers that a dual firewall setup would be the most secure. So with that he bought another firewall and now its my job, i wasnt complaining at first becuase i thought it would be fun to learn something new.

I was more or less asking if there were any ways to secure the space network between the 2 firewalls (ACLs) and not just forward traffic between them?

However I did start off with making groups of all the AFRINIC,RIPE AND APNIC networks and denying them. Works pretty well, I've gotten 11,000 denials in the last 3 hours.
 
Well the problem you will run into is having multiple NAT's which normally don't play nice with most phone systems, if your using VOIP.

Next you have the complexity of two firewalls, pain in the ass.

You don't need two firewalls for HIPPA compliancy. A strong hardware firewall and intrusion detection/prention will normally get you past. Your biggest risk for violating HIPPA are the users that leave there computers open all day, never log out and so on.

Your asking for trouble with two firewalls
 
infamus said:
let me add more to the story. Wasnt my idea to start with, my boss was told by a few HIPPA pen testers that a dual firewall setup would be the most secure. So with that he bought another firewall and now its my job, i wasnt complaining at first becuase i thought it would be fun to learn something new.

I was more or less asking if there were any ways to secure the space network between the 2 firewalls (ACLs) and not just forward traffic between them?

However I did start off with making groups of all the AFRINIC,RIPE AND APNIC networks and denying them. Works pretty well, I've gotten 11,000 denials in the last 3 hours.
Click to expand...

HIPPA needs to really be drug out to the street and shot and started over. There is no reason (again NO reason) you need 2 firewalls sandwiched together.. I work in health care and we don't have multiple firewalls in place doing what you want. We do have multiple firewalls for redundancy, but that's it.

Do it right and you shouldn't need 2 firewalls. Just more layers of complexity and layers of shit you don't need. Tell the pen testers you want your money back
 
It's all part of that "security through obscurity" approach that just keeps getting worse IMO.

So many of these ideas people have belong on the walls of "It's a Beautiful Mind" and nowhere near real data networks.

The weakest link is still the humans that administer the devices. Make the designs too unwieldy or too difficult to maintain and they end up less secure in the long-run.
 
calvinj said:
HIPPA needs to really be drug out to the street and shot and started over. There is no reason (again NO reason) you need 2 firewalls sandwiched together.. I work in health care and we don't have multiple firewalls in place doing what you want. We do have multiple firewalls for redundancy, but that's it.

Do it right and you shouldn't need 2 firewalls. Just more layers of complexity and layers of shit you don't need. Tell the pen testers you want your money back
Click to expand...

I totally agree but again, Im not in charge of decision making. Im the guy whos job it is to make it work. Its just one more thing to show the high-ups that we are "secure". I will try and make the best of it for now. I'll post some updates when im finished. I was looking for answers not scrutiny, but I'll take them both.
 
Its not that we are avoiding giving you answers, its that what they want is not a standard setup. Fact of the matter is the pen tester likely knows zip about what a firewall does and why you only need one decent one to be compliant.

Sometimes they request you to have a standby firewall incase the primary goes down such as the SEC did with us when we went though out backbround check to service some accounts.
 
infamus said:
I was looking for answers not scrutiny, but I'll take them both.
Click to expand...

Sorry that you get to be the brunt of a decision made by someone else. I really didn't mean to sound negative about my answers. Just bothers me that people suggest this shit and think it's ok. Really they are just wasting money to make stupid suggestions. We are under funded as an IT department as it is.
 
You must log in or register to reply here.
Back
Top