Firewall/DMZ Design

Mishra · January 2012

We are having a discussion about firewall design. I've been involved with network/firewall devices on and off. I'm average when it comes to design..

I remember hearing/seeing about devices that could forward traffic while the device is off. We are looking to implement an internal firewall that is transparent and will not impede services if the device is turned off. Basically we want out internet facing firewalls as redundant as possible and we are looking to scale out instead of up. Then the firewall between our LAN and DMZ be as cheap as possible... A diagram makes more sense...

Internet

Expensive redundant firewalls

IDS/IPS

DMZ

Transparent cheap firewall that can fail and not effect services

LAN

Any thoughts? Anyone know of a device like that? I thought I remembered a device that could be off (not unplugged) that could forward traffic between interfaces. Or am I just crazy?

apr911 · January 2012

Is it a business requirement to use a two tiered firewall setup? From the sounds of the configuration you want its not, because if the 2nd tier firewall fails you still want it to pass traffic as if it doesnt exist. So why dont you just configure the redundant firewalls with 2 segments?

joehalford01 · January 2012

If you want something cheap, you could just go with a couple used firewalls for the DMZ. I say a couple because if you buy a 15 year old pix or ASA, you should have a spare and the configuration backed up for when one of them bites the dust.

it_consultant · January 2012

apr911 wrote: »

Is it a business requirement to use a two tiered firewall setup? From the sounds of the configuration you want its not, because if the 2nd tier firewall fails you still want it to pass traffic as if it doesnt exist. So why dont you just configure the redundant firewalls with 2 segments?

The security advantage to having back to back firewalls is basically nill. I think this is right on track, get a pair of highly available firewalls and set up a network zone for your DMZ.

Trifidw · January 2012

How many interfaces does your internet firewall have? If it is 3 or more (excluding any that are used for redundancy) than why not just hang the DMZ off those?

onesaint · January 2012

it_consultant wrote: »

The security advantage to having back to back firewalls is basically nill. I think this is right on track, get a pair of highly available firewalls and set up a network zone for your DMZ.

Another vote for this methodology. I'm not sure 1. why you would want to shut the firewall off, and 2. why you would want to place a cheap ready to fail firewall in front of your internal zone. Is this a design requirement?

This is great post about DMZ placement and considerations with multiple firewalls:
Designing Enterprise DMZ and Multilayer Firewall Clusters

If you place your DMZ segment off of one firewall and block all incoming traffic on the other firewall, your internal zone will be far better protected. Something along these lines:
http://www.techrepublic.com/i/tr/cms/contentPics/r00220020227wrr01_D.gif

Personally, I like to try to compartmentalize everything so that if one zone is compromised, the others are still protected.

This is of course, is general design theory and your company's requirements need be taking into consideration.

HTH

Mishra · January 2012

Trifidw wrote: »

How many interfaces does your internet firewall have? If it is 3 or more (excluding any that are used for redundancy) than why not just hang the DMZ off those?

This is actually what we do currently. We are interested in adding an internal firewall behind our perimeter that is of a different vendor. Gives us 2 advantages. If a vulnerability is exposed in the perimeter, hopefully a having a different vendor's firewall behind will stop this. Other advantage if the perimeter firewall is compromised, we will have another firewall behind. If we continue to setup the multi-legged firewall approach, then if the firewall is compromised we have no ability to block that traffic. The intruder would be able to setup anything they like to attack/steal our customer data.

This reply was for most people's posts here. Thanks for commenting!

Mishra · January 2012

onesaint wrote: »

Another vote for this methodology. I'm not sure 1. why you would want to shut the firewall off, and 2. why you would want to place a cheap ready to fail firewall in front of your internal zone. Is this a design requirement?

The curiosity of having a back pair of firewalls that could run with the firewall off is to try and save money. Spending 300k on a fully redundant, service split, firewall would be doubled to 600k if we wanted to duplicate the same thing on the internal end. Mostly, the 'shut off' feature was something I was trying to remember back when I swore I heard of a device that could forward traffic while off. I think I'm thinking of a 3par SAN or something...

networker050184 · January 2012

I've seen a few devices that can continue to "forward" traffic while the device is off. Its not actually forwarding anything though, its a physical switch that connects two ports as if it were a single wire. Most devices I've seen this on are taps that sit in the wire anyway. Never seen a firewall with this feature, but that doesn't mean one doesn't exist.

it_consultant · January 2012

Mishra wrote: »

This is actually what we do currently. We are interested in adding an internal firewall behind our perimeter that is of a different vendor. Gives us 2 advantages. If a vulnerability is exposed in the perimeter, hopefully a having a different vendor's firewall behind will stop this. Other advantage if the perimeter firewall is compromised, we will have another firewall behind. If we continue to setup the multi-legged firewall approach, then if the firewall is compromised we have no ability to block that traffic. The intruder would be able to setup anything they like to attack/steal our customer data.

This reply was for most people's posts here. Thanks for commenting!

This almost never works correctly in my experience. Consider that if there is a dedicated attack, if they have enough skill to get around your first firewall the second one will not pose that much more of a challenge. Also consider that in order to make this set up work correctly you will have to swiss cheese your second firewall.

To do what you want you should have 1 firewall and put a bridging NIPS device (Tipping Point, Proventia, etc) in line behind the firewall. If the NIPS device fails, simply unplug your network cable from the NIPS device and put it into your stack. This is really the correct way to do 2 layer security.

Mishra · January 2012

networker050184 wrote: »

I've seen a few devices that can continue to "forward" traffic while the device is off. Its not actually forwarding anything though, its a physical switch that connects two ports as if it were a single wire. Most devices I've seen this on are taps that sit in the wire anyway. Never seen a firewall with this feature, but that doesn't mean one doesn't exist.

Right, exactly. Do you know what device that does this?

networker050184 · January 2012

Mishra wrote: »

Right, exactly. Do you know what device that does this?

The exact vendor escapes me at this time but I'll see what I can dig up. I've also seen the fiber ones that do this with mirrors which I thought was a pretty cool idea. I think the term you need in your googling will be "fail closed" to help find something.

Firewall/DMZ Design

Comments