Options
DMZ / Design Question
NightShade03
Member Posts: 1,383 ■■■■■■■□□□
in Off-Topic
I'm wondering if its common to have users pass through the same firewall twice when going into the corporate network. For example lets suppose you host an application. In order for your users to connect from outside they first pass through the firewall, hit the proxy in the DMZ, go back through the same firewall, and then hit the app server. Wouldn't it make more sense to allow the user to go from the proxy through a switch to the app server and place secondary security/restrictions on the switch as opposed to hitting the firewall with double the traffic??
Comments
-
Options
HeroPsycho
Inactive Imported Users Posts: 1,940
Mostly, no, but it depends on what said firewall does. Most traditional designs have a multihomed firewall or a second firewall where all traffic goes through from DMZ to the internal LAN.
The most obvious case is where a firewall will do more than an ACL or something similar on a router or switch would do. Case in point would be ISA. ISA inspects traffic all the way down to application layer stuff. You would have to assume that the proxy or front end could have been hacked. Malformed traffic could pass simple packet filter type rules in a normal router ACL or the like. You would in that case want ISA to perhaps inspect it closer, even though it's gotten to that point.
Take OWA for example. In a cascading firewall scenario, here's how the filtering would work:
1. Edge firewall that's usually an ASIC appliance hardware type firewall would allow the 443 traffic in on a certain public IP address. Any other port would be filtered.
2. This traffic would be sent to the second firewall, ISA 2006 or TMG to crack open the SSL encrypted data for inspection of malformed packets, application layer attacks, and to allow ISA to authenticate the user before a single packet ever hits the internal Exchange servers.
You simply can't do that with a switch or router with a simple ACL.
Edit: Also, remember cascading firewalls is to restrict traffic between DMZ and production LAN servers. If the servers are on the same VLAN, they probably could still broadcast, and if you can broadcast, you can probably ARP poison, broadcast storm to cause a DoS, etc. if the DMZ host were breached. That's kinda the hole point. And what do you think protects you better, a switch with some special security settings, or an actual firewall between the two?Good luck to all! -
OptionsNightShade03
Member Posts: 1,383 ■■■■■■■□□□
Thanks for the reply. For me said firewall would be the edge node to our network so all traffic comes in through it. My thought process is that all traffic goes through the firewall directly to our proxies. If the proxies are feeding the traffic to a few application servers in the backend I thought just putting a switch with some fine tuned ACLs would be enough. The reason I asked about the second firewall is I thought it might be over kill.
Everything that goes to the proxies is restricted to a single port, and the only thing allow to the app servers is from the ip address of the proxy on a single port so its pretty locked down. Currently everything is being routed back to the edge firewall to be passed back to the app servers which I find stupid. Will have to plan some more for this change I guess. -
Options
dynamik
Banned Posts: 12,312 ■■■■■■■■■□
So is this a three-pronged firewall setup with the proxy, web app, and external networks? You can accomplish more or less the same thing with that as you can with two separate firewalls. -
OptionsNightShade03
Member Posts: 1,383 ■■■■■■■□□□
Its a data center. It holds all databases and an application. It is where all clients access the software though.
Currently it is Firewall(A) -> proxy -> Firewall(A) -> webapp
I was thinking Firewall(A) -> proxy -> Firewall(B) or Cisco L3 -> webapp