Oct 27 2004
1oo2 Firewall Architecture
Basically, this article says that you need to run two application layer firewalls in series for best protection of your network. He makes it sound like any other design is inadequate. I agree with many of the points made in the article, just not the severity of his analysis.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
3 Responses to “1oo2 Firewall Architecture”
This is the defense-in-depth stuff that old security guards always bring out. The guy’s from Cyberguard so he’s just trying to sell more firewalls.
I agree that it’s a good practice sometimes, but it also depends on the requirements. I hate it when people always say that like it’s gospel.
I don’t know if I qualify for “old guard” or not (9 years in security), but I can tell you from personal experience that defense in depth (DiD) works. Not only does it reduce the chances of an attacker getting in, it also helps to cut down on the noise that has to be dealt with if you’re monitoring the network.
A company I’ve worked with uses DiD for various parts of its infrastructure beyond simply two firewalls. Nearly every security system (IDS, firewalls, Antivirus software, etc.) that deals with untrusted networks/clients uses multiple products from multiple vendors.
This has meant that virus outbreaks are rare and, when they do occur, they are brief and non-impactive to the business. It also means that the “breakwater” router (hot side of the first DMZ firewall) discards over 50% of the noise traffic, reducing the number of packets that the IDS must monitor and the number of alerts generated that won’t have any action taken on them.
Even at home, I use both a hardware firewall to protect the whole network from outside attacks and software firewalls on each client to help restrict the impact of spyware/viruses on the rest of the network. It works, and it works well. Even when my wife’s computer gets infected with a virus, the rest of the computers in the home are protected.
Sure, it costs a bit more money on the front end, but it reduces the overall amount of time that I have to spend on monitoring, reduces the number of successful attacks, and protects me from any individual vendor’s coding problems.
I’m not arguing against Defense in Depth, I just find any article where the author states his is the only ‘One, True Way’. This article states that anything less than two application layer firewalls in series is a weakening of your security. The totalitarian authority with which this is stated makes me leary of accepting his arguments.
I’m a huge fan of DiD. This site is hosted on a network behind a software firewall and a router. My home network is behind an additional router with build in firewall functionality. Each system has additional safeguards just in case. But there are an endless variety of ways you can engineer your network. Dual application layer firewalls is not the only way.