Double firewall security architecture
manulinx
Member Posts: 3 ■■□□□□□□□□
Hello,
i would like to ask a question that i've been thinking about since a while.
Within a secure network architecture, it is recommended to have an external and internal firewalls. one key adventage is the it removes the single point of failure.
Basically (theorically):
External firewall filters trafic between internet and DMZ
Internal firewall filters trafic between internal network and DMZ
In practice:
at which firewall to filter traffic flows coming from the internal network to internet, knowing that its not only web browsing traffic but all Saas application, remote administration, external backup and so one...
i would like to ask a question that i've been thinking about since a while.
Within a secure network architecture, it is recommended to have an external and internal firewalls. one key adventage is the it removes the single point of failure.
Basically (theorically):
External firewall filters trafic between internet and DMZ
Internal firewall filters trafic between internal network and DMZ
In practice:
at which firewall to filter traffic flows coming from the internal network to internet, knowing that its not only web browsing traffic but all Saas application, remote administration, external backup and so one...
Comments
-
JDMurray Admin Posts: 13,099 AdminBesides firewalls, you should also consider other mid-point network devices that create network security zones, such as proxies (e.g., outbound webproxy) and reverse proxies (e.g., inbound load balancers). In a security architecture, these devices also filter traffic and are not necessarily located behind a firewall or filtering router.And welcome to TE!
-
E Double U Member Posts: 2,238 ■■■■■■■■■■In a large enough organization with the resources to have both internal and external facing firewalls that is an ideal setup, but that is not feasible in all companies.
I once worked in a small-to-medium sized environment that had a HA pair (active/standby) at the main site and a standalone fw at the DR site to protect the perimeter. All traffic traversed that fw via the respective interfaces (inside/outside/DMZ). We were lucky to get a web gateway put in place in our DMZ lol.Alphabet soup from (ISC)2, ISACA, GIAC, EC-Council, Microsoft, ITIL, Cisco, Scrum, CompTIA, AWS -
manulinx Member Posts: 3 ■■□□□□□□□□E Double U said:In a large enough organization with the resources to have both internal and external facing firewalls that is an ideal setup, but that is not feasible in all companies.
I once worked in a small-to-medium sized environment that had a HA pair (active/standby) at the main site and a standalone fw at the DR site to protect the perimeter. All traffic traversed that fw via the respective interfaces (inside/outside/DMZ). We were lucky to get a web gateway put in place in our DMZ lol.
with two fw, if i get to do some filterings (of a traffic coming from internal) at the external fw, the fact is that that traffic goes throughout the first fw without being processed, what looks like a waist of bandwidth of that first firewall. -
volfkhat Member Posts: 1,075 ■■■■■■■■□□Back at my job from Summer 2020...In order to enter the building,You needed to wear a MASK to get passed the front lobby.plus a Temperature check.plus a Questionnaire checklist.(i was Quite impressed)But once you proceeded through that point.... it was basically the Wild West;People would pull their masks down over their chin,No 6-feet spacing,No hand-wipes,No nothing.But, hey... i could Not deny that they had an impressive Perimeter Security.Thats when i began to grasp the concept of a ZERO TRUST SECURITY architecture.Check it out :]
-
UnixGuy Mod Posts: 4,570 ModAs mentioned abovemanulinx said:E Double U said:In a large enough organization with the resources to have both internal and external facing firewalls that is an ideal setup, but that is not feasible in all companies.
I once worked in a small-to-medium sized environment that had a HA pair (active/standby) at the main site and a standalone fw at the DR site to protect the perimeter. All traffic traversed that fw via the respective interfaces (inside/outside/DMZ). We were lucky to get a web gateway put in place in our DMZ lol.
with two fw, if i get to do some filterings (of a traffic coming from internal) at the external fw, the fact is that that traffic goes throughout the first fw without being processed, what looks like a waist of bandwidth of that first firewall.
I'm trying to wrap my head around the need for two firewalls. Why not one firewall (with redundancy for High availability purposes) and then different security controls after that (IPS/IDS, WAF, etc) rather than two firewalls one after the other. Not sure what additional value the second firewall is providing (strictly speaking firewall i.e. IP/port filtering )
-
Edificer Member Posts: 187 ■■■□□□□□□□It's follows a good design of defense in-depth practices. Depending on where you work and how confidential the data is, multi-vendor firewalls can be desired. I had similar implementation where I added an additional firewall in the internal network and put it in bridge mode. So, traffic traversing it would be monitored only. The existence and presence of the firewall was virtually undetectable. So, if someone was up to something they wouldn't know that they're being detected.“Our greatest glory is not in never falling, but in rising every time we fall.” Confucius
-
JDMurray Admin Posts: 13,099 AdminTwo firewalls in series can be a more inexpensive solution than a firewall cluster with high-availability fail-over capability. Firewalls can also do things other than packet filtering, such as NATting.
-
UnixGuy Mod Posts: 4,570 ModEdificer said:It's follows a good design of defense in-depth practices. Depending on where you work and how confidential the data is, multi-vendor firewalls can be desired. I had similar implementation where I added an additional firewall in the internal network and put it in bridge mode. So, traffic traversing it would be monitored only. The existence and presence of the firewall was virtually undetectable. So, if someone was up to something they wouldn't know that they're being detected.What can the second (monitoring only) firewall detect that the first firewall couldn't? Why not put an IDS instead? I'm not sure this is a cost effective way of doing itYou mention defense in-depth, I had this exact same conversation before. Defense in depth is having multiple layers of different controls, not the same controls one infront of the other. if an attacker can traverse one firewall, they will traverse the next one, same technology, IP/Port filtering is IP/port filtering
-
UnixGuy Mod Posts: 4,570 ModJDMurray said:Two firewalls in series can be a more inexpensive solution than a firewall cluster with high-availability fail-over capability. Firewalls can also do things other than packet filtering, such as NATting.the pricing I've seen for firewalls have not been inexpensive, they've been very expensive! I'm all for high-availability, I'm not yet sold on having multiple layers of 'firewalls' for additional security, I've yet to understand/see the additional 'security' that's happening.
-
Edificer Member Posts: 187 ■■■□□□□□□□UnixGuy said:Edificer said:It's follows a good design of defense in-depth practices. Depending on where you work and how confidential the data is, multi-vendor firewalls can be desired. I had similar implementation where I added an additional firewall in the internal network and put it in bridge mode. So, traffic traversing it would be monitored only. The existence and presence of the firewall was virtually undetectable. So, if someone was up to something they wouldn't know that they're being detected.What can the second (monitoring only) firewall detect that the first firewall couldn't? Why not put an IDS instead? I'm not sure this is a cost effective way of doing itYou mention defense in-depth, I had this exact same conversation before. Defense in depth is having multiple layers of different controls, not the same controls one infront of the other. if an attacker can traverse one firewall, they will traverse the next one, same technology, IP/Port filtering is IP/port filtering
If you're using cisco NGFWs, what if there is an zero day for that? So having multi-firewalls requires from state-sponsored or nation-state actors more time and more efforts to break into networks.“Our greatest glory is not in never falling, but in rising every time we fall.” Confucius -
UnixGuy Mod Posts: 4,570 Mod@Edificer ok I understand, so two firewalls one infront of the other, each come from a different vendor for the chance of one of them having a zero day that the other dont?I understand, but it won't be something I would recommend. I'd rather have another layer after the first firewall and that layer would be IPS/IDS. Compartmentalize your data and have more measures around critical data to make it a lot harder to compromise is what I would do. A competent SOC is essential if your data is mission critical and valuable.
-
JDMurray Admin Posts: 13,099 Admin@Edificer ok I understand, so two firewalls one infront of the other, each come from a different vendor for the chance of one of them having a zero day that the other dont?I see the perceived benefit of having firewalls from different vendors in series (e.g., one from Cisco the other from Juniper). The hardware and firmware is different in both, so a vulnerability in one will likely not be a vulnerability in the other. There is some cost savings if you already own the firewalls. However, if the first firewall looses power or crashes, how does the network traffic get to the second firewall? Is the first firewall an HA cluster?
-
kaiju Member Posts: 453 ■■■■■■■□□□The external FW will normally rely on the typical port-based policies while the internal FW will do deeper packet inspection. The internal/external combo setup is most commonly used by large enterprise networks. Small to medium organizations can get by with a single stateful inspection or next-generation firewall.Work smarter NOT harder! Semper Gumby!
-
UnixGuy Mod Posts: 4,570 Modkaiju said:The external FW will normally rely on the typical port-based policies while the internal FW will do deeper packet inspection. The internal/external combo setup is most commonly used by large enterprise networks. Small to medium organizations can get by with a single stateful inspection or next-generation firewall.
yep agreed, so the internal firewall is basically a next-gen firewall working more as an IPS/IDS etc, that's the design that I've seen and recommend
-
kaiju Member Posts: 453 ■■■■■■■□□□One of the network setups that I manage has HA gateway routers, HA external firewalls, (DMZ + Proxy + Gateway server + vpn), HA internal firewall, HA core switches, HA distribution layer and then the rest. A couple of the other networks are slightly different because of collapsed core configuration but most of this has been the standard for 25+ years.*** note *** I purposely left out some of the pieces because I am assuming people understand this configuration.
Work smarter NOT harder! Semper Gumby! -
scasc Member Posts: 465 ■■■■■■■□□□Will admit that I have not fully read the thread above, but having 2 firewalls back to back from different vendors is known as an anti-pattern from NCSC (UK version of NSA).
https://www.ncsc.gov.uk/whitepaper/security-architecture-anti-patterns
In a nutshell, vulnerabilities usually lie against the management interface layer (which should not be exposed to untrusted networks) and not from processing the header layer of the TCP/IP packet (remote code execution).
Zero trust architecture takes this so much deeper with no concept of DMZ's and a perimeter less environment; where accessibility to both SaaS apps and private apps is funnelled over a SASE. This is the future - check it out.
AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia... -
UnixGuy Mod Posts: 4,570 Mod@scasc wish I found this document two years ago. I was consulting for a client, and I had about 6+ security engineers/specialists gang up on me in a meeting arguing with me that having two firewalls is 'defense in depth' and that it must be adding value (in their case, it was repetition, same vendor, misconfigured, complete waste of money). Glad I stood my ground. That document would've helped
-
scasc Member Posts: 465 ■■■■■■■□□□@UnixGuy - hey mate. No problem at all. Good on you. Generally speaking people think architecture is about deploying whatever controls they can and think it’s defence in depth. Architecture is about deploying solutions to reduce risk and is leveraging defence in depth but sensibly.Where is the value of having 2 firewalls Daisy chained with same functionality doing the same thing? .I see the value in leveraging a L7 app firewall at the perimeter which does content inspection, signature matching, certificate termination, whitelisting, IPS, thread feed subscription etc with other proxies (forward or reverse depending on use case) segmenting traffic based on asset classification but it all comes down to risk based decision:
1. what are you protecting and what is the impact of loss?
2. What is the value to the company.
3. What threats can exploit these services
4. who has access, what permissions do they have and how can this be accomplished.
etc etc.
Leveraging sensible throughout to reduce latency and congestion plus failover when needed to a secondary boundary device (think BCP) makes sense. Which is different to daisy chain design.AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...