Firewall/DMZ Design

MishraMishra Member Posts: 2,468 ■■■■□□□□□□
in Off-Topic
We are having a discussion about firewall design. I've been involved with network/firewall devices on and off. I'm average when it comes to design..

I remember hearing/seeing about devices that could forward traffic while the device is off. We are looking to implement an internal firewall that is transparent and will not impede services if the device is turned off. Basically we want out internet facing firewalls as redundant as possible and we are looking to scale out instead of up. Then the firewall between our LAN and DMZ be as cheap as possible... A diagram makes more sense...


Internet

Expensive redundant firewalls

IDS/IPS

DMZ

Transparent cheap firewall that can fail and not effect services

LAN

Any thoughts? Anyone know of a device like that? I thought I remembered a device that could be off (not unplugged) that could forward traffic between interfaces. Or am I just crazy?
My blog http://www.calegp.com

You may learn something!
· Share on FacebookShare on Twitter

Comments

  • apr911apr911 Member Posts: 380 ■■■■□□□□□□
    Is it a business requirement to use a two tiered firewall setup? From the sounds of the configuration you want its not, because if the 2nd tier firewall fails you still want it to pass traffic as if it doesnt exist. So why dont you just configure the redundant firewalls with 2 segments?
    Currently Working On: Openstack
    2020 Goals: AWS/Azure/GCP Certifications, F5 CSE Cloud, SCRUM, CISSP-ISSMP
    · Share on FacebookShare on Twitter
  • joehalford01joehalford01 Member Posts: 364 ■■■□□□□□□□
    If you want something cheap, you could just go with a couple used firewalls for the DMZ. I say a couple because if you buy a 15 year old pix or ASA, you should have a spare and the configuration backed up for when one of them bites the dust.
    · Share on FacebookShare on Twitter
  • it_consultantit_consultant Member Posts: 1,903
    apr911 wrote: »
    Is it a business requirement to use a two tiered firewall setup? From the sounds of the configuration you want its not, because if the 2nd tier firewall fails you still want it to pass traffic as if it doesnt exist. So why dont you just configure the redundant firewalls with 2 segments?

    The security advantage to having back to back firewalls is basically nill. I think this is right on track, get a pair of highly available firewalls and set up a network zone for your DMZ.
    · Share on FacebookShare on Twitter
  • TrifidwTrifidw Member Posts: 281
    How many interfaces does your internet firewall have? If it is 3 or more (excluding any that are used for redundancy) than why not just hang the DMZ off those?
    · Share on FacebookShare on Twitter
  • onesaintonesaint Member Posts: 801
    it_consultant wrote: »
    The security advantage to having back to back firewalls is basically nill. I think this is right on track, get a pair of highly available firewalls and set up a network zone for your DMZ.

    Another vote for this methodology. I'm not sure 1. why you would want to shut the firewall off, and 2. why you would want to place a cheap ready to fail firewall in front of your internal zone. Is this a design requirement?

    This is great post about DMZ placement and considerations with multiple firewalls:
    Designing Enterprise DMZ and Multilayer Firewall Clusters

    If you place your DMZ segment off of one firewall and block all incoming traffic on the other firewall, your internal zone will be far better protected. Something along these lines:
    http://www.techrepublic.com/i/tr/cms/contentPics/r00220020227wrr01_D.gif

    Personally, I like to try to compartmentalize everything so that if one zone is compromised, the others are still protected.

    This is of course, is general design theory and your company's requirements need be taking into consideration.

    HTH
    Work in progress: picking up Postgres, elastisearch, redis, Cloudera, & AWS.
    Next up: eventually the RHCE and to start blogging again.

    Control Protocol; my blog of exam notes and IT randomness
    · Share on FacebookShare on Twitter
  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    Trifidw wrote: »
    How many interfaces does your internet firewall have? If it is 3 or more (excluding any that are used for redundancy) than why not just hang the DMZ off those?

    This is actually what we do currently. We are interested in adding an internal firewall behind our perimeter that is of a different vendor. Gives us 2 advantages. If a vulnerability is exposed in the perimeter, hopefully a having a different vendor's firewall behind will stop this. Other advantage if the perimeter firewall is compromised, we will have another firewall behind. If we continue to setup the multi-legged firewall approach, then if the firewall is compromised we have no ability to block that traffic. The intruder would be able to setup anything they like to attack/steal our customer data.

    This reply was for most people's posts here. Thanks for commenting!
    My blog http://www.calegp.com

    You may learn something!
    · Share on FacebookShare on Twitter
  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    onesaint wrote: »
    Another vote for this methodology. I'm not sure 1. why you would want to shut the firewall off, and 2. why you would want to place a cheap ready to fail firewall in front of your internal zone. Is this a design requirement?

    The curiosity of having a back pair of firewalls that could run with the firewall off is to try and save money. Spending 300k on a fully redundant, service split, firewall would be doubled to 600k if we wanted to duplicate the same thing on the internal end. Mostly, the 'shut off' feature was something I was trying to remember back when I swore I heard of a device that could forward traffic while off. I think I'm thinking of a 3par SAN or something...
    My blog http://www.calegp.com

    You may learn something!
    · Share on FacebookShare on Twitter
  • networker050184networker050184 Mod Posts: 11,962 Mod
    I've seen a few devices that can continue to "forward" traffic while the device is off. Its not actually forwarding anything though, its a physical switch that connects two ports as if it were a single wire. Most devices I've seen this on are taps that sit in the wire anyway. Never seen a firewall with this feature, but that doesn't mean one doesn't exist.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • it_consultantit_consultant Member Posts: 1,903
    Mishra wrote: »
    This is actually what we do currently. We are interested in adding an internal firewall behind our perimeter that is of a different vendor. Gives us 2 advantages. If a vulnerability is exposed in the perimeter, hopefully a having a different vendor's firewall behind will stop this. Other advantage if the perimeter firewall is compromised, we will have another firewall behind. If we continue to setup the multi-legged firewall approach, then if the firewall is compromised we have no ability to block that traffic. The intruder would be able to setup anything they like to attack/steal our customer data.

    This reply was for most people's posts here. Thanks for commenting!

    This almost never works correctly in my experience. Consider that if there is a dedicated attack, if they have enough skill to get around your first firewall the second one will not pose that much more of a challenge. Also consider that in order to make this set up work correctly you will have to swiss cheese your second firewall.

    To do what you want you should have 1 firewall and put a bridging NIPS device (Tipping Point, Proventia, etc) in line behind the firewall. If the NIPS device fails, simply unplug your network cable from the NIPS device and put it into your stack. This is really the correct way to do 2 layer security.
    · Share on FacebookShare on Twitter
  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    networker050184 wrote: »
    I've seen a few devices that can continue to "forward" traffic while the device is off. Its not actually forwarding anything though, its a physical switch that connects two ports as if it were a single wire. Most devices I've seen this on are taps that sit in the wire anyway. Never seen a firewall with this feature, but that doesn't mean one doesn't exist.

    Right, exactly. Do you know what device that does this?
    My blog http://www.calegp.com

    You may learn something!
    · Share on FacebookShare on Twitter
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Mishra wrote: »
    Right, exactly. Do you know what device that does this?

    The exact vendor escapes me at this time but I'll see what I can dig up. I've also seen the fiber ones that do this with mirrors which I thought was a pretty cool idea. I think the term you need in your googling will be "fail closed" to help find something.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.