Double firewall security architecture

manulinx

Hello,

i would like to ask a question that i've been thinking about since a while.

Within a secure network architecture, it is recommended to have an external and internal firewalls. one key adventage is the it removes the single point of failure.
Basically (theorically):
External firewall filters trafic between internet and DMZ
Internal firewall filters trafic between internal network and DMZ

In practice:

at which firewall to filter traffic flows coming from the internal network to internet, knowing that its not only web browsing traffic  but all Saas application, remote administration, external backup and so one...

JDMurray

Besides firewalls, you should also consider other mid-point network devices that create network security zones, such as proxies (e.g., outbound webproxy) and reverse proxies (e.g., inbound load balancers). In a security architecture, these devices also filter traffic and are not necessarily located behind a firewall or filtering router.

And welcome to TE!

E Double U

In a large enough organization with the resources to have both internal and external facing firewalls that is an ideal setup, but that is not feasible in all companies. 

I once worked in a small-to-medium sized environment that had a HA pair (active/standby) at the main site and a standalone fw at the DR site to protect the perimeter. All traffic traversed that fw via the respective interfaces (inside/outside/DMZ). We were lucky to get a web gateway put in place in our DMZ lol. 

manulinx

E Double U said:

In a large enough organization with the resources to have both internal and external facing firewalls that is an ideal setup, but that is not feasible in all companies. 

I once worked in a small-to-medium sized environment that had a HA pair (active/standby) at the main site and a standalone fw at the DR site to protect the perimeter. All traffic traversed that fw via the respective interfaces (inside/outside/DMZ). We were lucky to get a web gateway put in place in our DMZ lol. 

yeah, it's pretty easy with one fw connected to DMZ, Internet, and internal.

with two fw, if i get to do some filterings (of a traffic coming from internal) at the external fw, the fact is that that traffic goes throughout the first fw without being processed, what looks like a waist of bandwidth of that first firewall.

volfkhat

Back at my job from Summer 2020...

In order to enter the building,

You needed to wear a MASK to get passed the front lobby.

plus a Temperature check.

plus a Questionnaire checklist. 

(i was Quite impressed)

But once you proceeded through that point....  it was basically the Wild West;

People would pull their masks down over their chin,

No 6-feet spacing,

No hand-wipes,

No nothing.

But, hey... i could Not deny that they had an impressive Perimeter Security.

Thats when i began to grasp the concept of a ZERO TRUST SECURITY architecture.

Check it out :]

UnixGuy

As mentioned above

manulinx said:

E Double U said:

In a large enough organization with the resources to have both internal and external facing firewalls that is an ideal setup, but that is not feasible in all companies. 

I once worked in a small-to-medium sized environment that had a HA pair (active/standby) at the main site and a standalone fw at the DR site to protect the perimeter. All traffic traversed that fw via the respective interfaces (inside/outside/DMZ). We were lucky to get a web gateway put in place in our DMZ lol. 

yeah, it's pretty easy with one fw connected to DMZ, Internet, and internal.

with two fw, if i get to do some filterings (of a traffic coming from internal) at the external fw, the fact is that that traffic goes throughout the first fw without being processed, what looks like a waist of bandwidth of that first firewall.

I'm trying to wrap my head around the need for two firewalls. Why not one firewall (with redundancy for High availability purposes) and then different security controls after that (IPS/IDS, WAF, etc) rather than two firewalls one after the other. Not sure what additional value the second firewall is providing (strictly speaking firewall i.e. IP/port filtering )

Edificer

It's follows a good design of defense in-depth practices. Depending on where you work and how confidential the data is, multi-vendor firewalls can be desired. I had similar implementation where I added an additional firewall in the internal network and put it in bridge mode. So, traffic traversing it would be monitored only. The existence and presence of the firewall was virtually undetectable. So, if someone was up to something they wouldn't know that they're being detected.

JDMurray

Two firewalls in series can be a more inexpensive solution than a firewall cluster with high-availability fail-over capability. Firewalls can also do things other than packet filtering, such as NATting.

UnixGuy

Edificer said:

It's follows a good design of defense in-depth practices. Depending on where you work and how confidential the data is, multi-vendor firewalls can be desired. I had similar implementation where I added an additional firewall in the internal network and put it in bridge mode. So, traffic traversing it would be monitored only. The existence and presence of the firewall was virtually undetectable. So, if someone was up to something they wouldn't know that they're being detected.

What can the second (monitoring only) firewall detect that the first firewall couldn't?  Why not put an IDS instead? I'm not sure this is a cost effective way of doing it

You mention defense in-depth, I had this exact same conversation before. Defense in depth is having multiple layers of different controls, not the same controls one infront of the other. if an attacker can traverse one firewall, they will traverse the next one, same technology, IP/Port filtering is IP/port filtering

UnixGuy

JDMurray said:

Two firewalls in series can be a more inexpensive solution than a firewall cluster with high-availability fail-over capability. Firewalls can also do things other than packet filtering, such as NATting.

the pricing I've seen for firewalls have not been inexpensive, they've been very expensive!  I'm all for high-availability, I'm not yet sold on having multiple layers of 'firewalls' for additional security, I've yet to understand/see the additional 'security' that's happening.

Edificer

UnixGuy said:

Edificer said:

It's follows a good design of defense in-depth practices. Depending on where you work and how confidential the data is, multi-vendor firewalls can be desired. I had similar implementation where I added an additional firewall in the internal network and put it in bridge mode. So, traffic traversing it would be monitored only. The existence and presence of the firewall was virtually undetectable. So, if someone was up to something they wouldn't know that they're being detected.

What can the second (monitoring only) firewall detect that the first firewall couldn't?  Why not put an IDS instead? I'm not sure this is a cost effective way of doing it

You mention defense in-depth, I had this exact same conversation before. Defense in depth is having multiple layers of different controls, not the same controls one infront of the other. if an attacker can traverse one firewall, they will traverse the next one, same technology, IP/Port filtering is IP/port filtering

It really depends on where you work on how that should look like. I work in the public sector, and in a conflict zone, this contributes to the complexity of design. It depends really on what you are trying to protect. Our approach to this is multi-firewall designs and believe me, it's not just that. The perimeter is much more complex. The reason for multi-firewall layer is the data enters DMZ layer first before entering internal networks. There are many reasons for that and one reason is obfuscation. Everything follows a zero trust architecture.

If you're using cisco NGFWs, what if there is an zero day for that? So having multi-firewalls requires from state-sponsored or nation-state actors more time and more efforts to break into networks. 

UnixGuy

@Edificer ok I understand, so two firewalls one infront of the other, each come from a different vendor for the chance of one of them having a zero day that the other dont?

I understand, but it won't be something I would recommend. I'd rather have another layer after the first firewall and that layer would be IPS/IDS. Compartmentalize your data and have more measures around critical data to make it a lot harder to compromise is what I would do.  A competent SOC is essential if your data is mission critical and valuable.

JDMurray

@Edificer ok I understand, so two firewalls one infront of the other, each come from a different vendor for the chance of one of them having a zero day that the other dont?

I see the perceived benefit of having firewalls from different vendors in series (e.g., one from Cisco the other from Juniper). The hardware and firmware is different in both, so a vulnerability in one will likely not be a vulnerability in the other. There is some cost savings if you already own the firewalls. However, if the first firewall looses power or crashes, how does the network traffic get to the second firewall? Is the first firewall an HA cluster?

UnixGuy

@JDMurray if the question is for me, yes so have a basic high availability solution for this purpose

kaiju

The external FW will normally rely on the typical port-based policies while the internal FW will do deeper packet inspection. The internal/external combo setup is most commonly used by large enterprise networks. Small to medium organizations can get by with a single stateful inspection or next-generation firewall.  

UnixGuy

kaiju said:

The external FW will normally rely on the typical port-based policies while the internal FW will do deeper packet inspection. The internal/external combo setup is most commonly used by large enterprise networks. Small to medium organizations can get by with a single stateful inspection or next-generation firewall.  

yep agreed, so the internal firewall is basically a next-gen firewall working more as an IPS/IDS etc, that's the design that I've seen and recommend

kaiju

One of the network setups that I manage has HA gateway routers, HA external firewalls, (DMZ + Proxy + Gateway server + vpn), HA internal firewall, HA core switches, HA distribution layer and then the rest. A couple of the other networks are slightly different because of collapsed core configuration but most of this has been the standard for 25+ years.

*** note *** I purposely left out some of the pieces because I am assuming people understand this configuration.

scasc

Will admit that I have not fully read the thread above, but having 2 firewalls back to back from different vendors is known as an anti-pattern from NCSC (UK version of NSA). 

https://www.ncsc.gov.uk/whitepaper/security-architecture-anti-patterns

In a nutshell, vulnerabilities usually lie against the management interface layer (which should not be exposed to untrusted networks) and not from processing the header layer of the TCP/IP packet (remote code execution).

Zero trust architecture takes this so much deeper with no concept of DMZ's and a perimeter less environment; where accessibility to both SaaS apps and private apps is funnelled over a SASE. This is the future - check it out. 

UnixGuy

@scasc wish I found this document two years ago. I was consulting for a client, and I had about 6+ security engineers/specialists gang up on me in a meeting arguing with me that having two firewalls is 'defense in depth' and that it must be adding value (in their case, it was repetition, same vendor, misconfigured, complete waste of money). Glad I stood my ground. That document would've helped

scasc

@UnixGuy - hey mate. No problem at all. Good on you. Generally speaking people think architecture is about deploying whatever controls they can and think it’s defence in depth. Architecture is about deploying solutions to reduce risk and is leveraging defence in depth but sensibly. 

Where is the value of having 2 firewalls Daisy chained with same functionality doing the same thing? . 

I see the value in leveraging a L7 app firewall at the perimeter which does content inspection, signature matching, certificate termination, whitelisting, IPS, thread feed subscription etc with other proxies (forward or reverse depending on use case) segmenting traffic based on asset classification but it all comes down to risk based decision:

1. what are you protecting and what is the impact of loss?
2. What is the value to the company.
3. What threats can exploit these services
4. who has access, what permissions do they have and how can this be accomplished.

etc etc. 

Leveraging sensible throughout to reduce latency and congestion plus failover when needed to a secondary boundary device (think BCP) makes sense. Which is different to daisy chain design.