Security Design Question

Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
Greetings,

For those of you that design networks or suggest designs do you still feel that layer firewalls (from different vendors) is still a valuable part of defensive in depth? From your experience, do companies tend to use this in the SMB enterprises?

Just want to get someone else's perspective. I am submitting a proposal for our new network design on Wednesday and the other guy and I have some very, very different opinions.
«1

Comments

  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    There are pros and cons. The main pro is that any vulns found for one vendor will be immediately mitigated by any downstream devices from the other. But a major con. is it is doubtful you can maintain the same level of expertise on both (or more) systems. Also, contrary to what many think so this is strictly in-my-humble-opinion, I think there is a lot to be said for predictability on your own network. Yes it makes it easier for attackers to profile and plan an attack, but at the same time it makes it easier for you to accurately mitigate weaknesses and respond when there are issues - the attacker has the choice of attack vector, timing etc., you are already down a few points on unpredictability, don't add to it with multi-vendor approaches if there is no specific reason to it (e.g. one vendor may handle a certain type of application inspection better than another so it might make sense to place a different type closer to certain resources).
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Ahriakin wrote: »
    There are pros and cons. The main pro is that any vulns found for one vendor will be immediately mitigated by any downstream devices from the other. But a major con. is it is doubtful you can maintain the same level of expertise on both (or more) systems. Also, contrary to what many think so this is strictly in-my-humble-opinion, I think there is a lot to be said for predictability on your own network. Yes it makes it easier for attackers to profile and plan an attack, but at the same time it makes it easier for you to accurately mitigate weaknesses and respond when there are issues - the attacker has the choice of attack vector, timing etc., you are already down a few points on unpredictability, don't add to it with multi-vendor approaches if there is no specific reason to it (e.g. one vendor may handle a certain type of application inspection better than another so it might make sense to place a different type closer to certain resources).


    You echo my point entirely. That is what I was thinking. I mean I understand where he is coming from but IMO one well tuned and configured firewall would be way better than two so, so ones. Basically IMO (for our external stuff) I want 1 firewall, a HIDS/AV/SW (already done), a NIDS and proper log collection, patching and so on. Also I am looking at the stuff I mentioned here for our web servers:

    http://www.techexams.net/forums/off-topic/61243-threatsentry-iis-web-application-firewall.html

    Adding yet another device that is serving the firewall purpose (our external facing router is a "firewall" as well) would just make it more complex and make it more difficult to properly determine problems. Well tuned IDS/IPS, well tuned application firewalls and patched servers on harden OS should be plenty but he disagrees.
  • it_consultantit_consultant Member Posts: 1,903
    Greetings,

    For those of you that design networks or suggest designs do you still feel that layer firewalls (from different vendors) is still a valuable part of defensive in depth? From your experience, do companies tend to use this in the SMB enterprises?

    Just want to get someone else's perspective. I am submitting a proposal for our new network design on Wednesday and the other guy and I have some very, very different opinions.

    I see a lot of networks that have a hardware firewall and then something like an ISA server. I am not sure how helpful this is. IBM in Boulder had hardware firewalls and then IDS/IPS on the hosts that were monitored by a central controller.

    What is the idea in your proposal like?
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Router(Packet Filter)>>>IDS>>Firewall>>>DMZ>>IDS>>LAN>>IDS>


    On the servers it is the usual, harden OS, harden app, tcp/ip filtering, HIPS, AV
  • it_consultantit_consultant Member Posts: 1,903
    What does the other guy think?
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Router(Packet Filter)>>>IDS>>Firewall*>>>DMZ>>Firewall*>>LAN>>

    *He wants different firewall vendors for the two firewalls.
  • it_consultantit_consultant Member Posts: 1,903
    I don't see a lot of advantages to having two firewalls back to back. Esp if your primary firewall is a high quality unit like a palo alto.

    Next Generation Firewall Features and Benefits
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    I don't see a lot of advantages to having two firewalls back to back. Esp if your primary firewall is a high quality unit like a palo alto.

    Next Generation Firewall Features and Benefits


    We have a sonicwall NSA 3500

    Network Security - SonicWALL Network Security Appliance 3500 - SonicWALL, Inc.

    I mean it is super overkill for what we will use it for. I just think he wants to do things his way. I have a strong feeling that the boss will go his way.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    When discussing multiple filtering devices in a given path, I could argue for or against using equipment from different vendors. On one hand, I'd recommend having different products: a Cisco border router using extended or reflexive ACLs and then a Check Point doing the stateful inspection thing. The attacker would have to know characteristics of both platforms in order to break though the front-line.

    Now that said, maintaining sufficient expertise in order to effectively manage them both can be difficult in terms of keeping up with new features, code updates, syntax differences, etc.. If all you do for your job is manage the perimeter, then it might not be so bad. If you're a jack-of-all-trades in your environment, you're probably much less effective and using the same vendor for the filtering would make better sense.

    You also have to consider business feature requirements. In a given network, you might have a traditional firewall appliance for the general filtering and segmenting, but another device for proxying HTTP, etc.. In that sense, two different brands could be complimentary.

    But I'm of the opinion that if you're not able to efficiently manage your devices because your expertise is spread wide across different areas / vendors, your ability to mitigate security risks goes down. I work with a variety of devices from different vendors and I know what it's like to not have an answer or immediately know what to do when I encounter an issue because I have to change mindsets for each platform and then figure my way out. Constantly jumping between different technologies doesn't necessarily make me an expert on all of them.

    I personally like having a second firewall. I don't like the front firewall itself having a direct connection the internal "soft" trusted network, even if there's a filtering router at the border. I generally assume that the router may get owned eventually as it's hammered all the time. I don't want my main firewall to be the only real line of defense. Assuming it fails open, at least I have one additional layer that will keep me protected while I scramble to deal with the fire. But again, this comes down to cost and support resources (including available expertise). The more devices in-line, the more maintenance that's going to be required.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    What about virtual interfaces (on the firewall) and vlanning in your DMZ? Do you implement that (or feel that it should be) ?. I read somewhere where it said that true security assumes your firewall is going to get owned. To me, having multiple boxes like that really doesn't do you much good especially since the firewall he was suggestion were all layer 3/4 (iptables) and his concern was a layer 7 attack (scanning on the web server). IMO you can achieve the same type of packet filtering with a cisco router. Who knows, I could even set up the IOS firewall for inspection (we have a 4mb pipe, our router never even breathes hard). Idk. I do see your point though.
  • SteveO86SteveO86 Member Posts: 1,423
    Well, now if the boss wants it icon_rolleyes.gificon_smile.gif

    One of the reasons I prefer the Cisco ASA is because it can be an all in one, providing IPS/Firewall/VPN.

    2 firewalls back to back, not sure as long they are not inspecting and looking the same information, then it's just double work for no reason.

    Depending how in-depth you want to go, the Cisco ASA allows you to add custom expressions to the Inspect maps (such as HTTP).. So if the firewall from Vendor A looks for something the ASA doesn't you can add that in there. I would suspect your SonicWall have a similar feature. Doing this in great detail will make the device from Vendor A look useless.

    Or if you really need (or your boss) that second firewall, would an ISR router running the Advanced Security IOS image running a zone based firewall (or CBAC) with an IPS Subscription work? (With a 4 MB pipe to the internet I would suspect a new ISR G2 router with at 512 of memory would suffice nicely, or even a 2811 with 512.)

    Depending on your webserver and if it does HTTPS transactions, and HIPS installed on the server itself may offer better protection, many AV programs nowadays offer built-in HIPs (Symantec Enpoint, Trend Micro) or they have dedicated HIPS programs (Cisco CSA) out there (can be expensive to implement)

    Going back to Firewall/DMZ I always remember the FW and DMZ is ment to go through hell and anything in the DMZ is not mission critical to your organization and if it got compromised it wouldn't be that big of a deal). Implementing Private VLANs correctly in the DMZ can limit the damage done by an attack.

    Sorry for being so Cisco oriented.. It's just my environment.
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    SteveO86 wrote: »
    Well, now if the boss wants it icon_rolleyes.gificon_smile.gif
    Lol exactly

    SteveO86 wrote: »
    One of the reasons I prefer the Cisco ASA is because it can be an all in one, providing IPS/Firewall/VPN.

    2 firewalls back to back, not sure as long they are not inspecting and looking the same information, then it's just double work for no reason.

    Depending how in-depth you want to go, the Cisco ASA allows you to add custom expressions to the Inspect maps (such as HTTP).. So if the firewall from Vendor A looks for something the ASA doesn't you can add that in there. I would suspect your SonicWall have a similar feature. Doing this in great detail will make the device from Vendor A look useless.

    I felt that it would be double work and cause latency for no reason as well. I need to check and see if there is a feature like that on Sonicwall. Good idea icon_thumright.gif

    SteveO86 wrote: »

    Or if you really need (or your boss) that second firewall, would an ISR router running the Advanced Security IOS image running a zone based firewall (or CBAC) with an IPS Subscription work? (With a 4 MB pipe to the internet I would suspect a new ISR G2 router with at 512 of memory would suffice nicely, or even a 2811 with 512.)

    This is kind of what I want to do. We have a 2621xm now, I suppose that upgrading to a 2811 would be very nice. She wants to upgrade our network gear anyway so that would be ideal.
    SteveO86 wrote: »
    Depending on your webserver and if it does HTTPS transactions, and HIPS installed on the server itself may offer better protection, many AV programs nowadays offer built-in HIPs (Symantec Enpoint, Trend Micro) or they have dedicated HIPS programs (Cisco CSA) out there (can be expensive to implement)

    We are a Mcafee shop and I plan to use their HIPS product on the web server. Also there are several good free and commerical web application firewalls out there that I want to try.

    SteveO86 wrote: »
    Going back to Firewall/DMZ I always remember the FW and DMZ is ment to go through hell and anything in the DMZ is not mission critical to your organization and if it got compromised it wouldn't be that big of a deal). Implementing Private VLANs correctly in the DMZ can limit the damage done by an attack.

    Sorry for being so Cisco oriented.. It's just my environment.

    Care to elaborate on your private VLANs for DMZ design?
  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    One question I always pose to people when these topics come up is what is the risk associated with your company. Spending gobs of money for security is important but at the end of the day is it necessary? Do you really need that level of security? (I'm speaking directly towards the question of multi-vendor, multi-firewall clusters.) It is one thing if your company is enriching uranium for the government and something totally different if your company makes plastic spoons. If that level is needed, go for provided the resources are there.

    I, personally think security should be kept as absolutely simple as possible in terms of network design. The more vendors you throw into the mix the bigger the headache; especially if it is an unnecessary complexity. I try to avoid the "he said, she said" finger-pointing that vendors like to go at whenever possible. Many times, a single firewall cluster with properly laid DMZs and network segmentation along with IPS/IDS is more than enough to protect your perimeter.
  • it_consultantit_consultant Member Posts: 1,903
    What was your coworker suggesting as the other firewall vendor?
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    What was your coworker suggesting as the other firewall vendor?


    For the short term something like Iptables linux box or pfsense*

    *He was actually surprised when I disagreed with him because I'm the "Find a non windows way" guy at work so he thought the moment he said something open source I would jump for it. It isn't that I am against anything opensource (very far from it) I just don't see the need to have anything in this instance.
    RTmarc wrote: »
    One question I always pose to people when these topics come up is what is the risk associated with your company. Spending gobs of money for security is important but at the end of the day is it necessary? Do you really need that level of security? (I'm speaking directly towards the question of multi-vendor, multi-firewall clusters.) It is one thing if your company is enriching uranium for the government and something totally different if your company makes plastic spoons. If that level is needed, go for provided the resources are there.

    We are an insurance company and the other guy likes to say "We aren't google" all the time. I don't think we need it but for some reason he seems to think so.


    Later on, I think I am going to post a clean version of what I am thinking.
  • SteveO86SteveO86 Member Posts: 1,423
    I felt that it would be double work and cause latency for no reason as well. I need to check and see if there is a feature like that on Sonicwall.

    A friend of mine configured a windows box.. I think it was ISA (or maybe forefront) in front of a hardware firewall (I think sonicwall) and latency/speed was not effected at all, but he had a beefy server doing this.
    Good idea icon_thumright.gif

    I get those sometimes icon_smile.gif

    This is kind of what I want to do. We have a 2621xm now, I suppose that upgrading to a 2811 would be very nice. She wants to upgrade our network gear anyway so that would be ideal.

    I don't think I would run IPS on a 26xx, but if you are going to buy new equipment might as well try for a new 29xx :D

    Care to elaborate on your private VLANs for DMZ design?

    Their is a fairly straight forward explanation of the private VLAN here but my thought process here is if one machine in the DMZ gets compromised the others won't go down as easy (since the other servers in the other PVLANs are not visible to each other as long as they are configured that way).. But this really depends if you think it's necessary, how much is in your DMZ, and what it is.

    PVLAN's can be very a confusing subject, I know it took me a bit to get the concept... and then to think of a reason of why I would bother using PVLANs...

    --

    If anything the IOS Firewall, seems to be the path of least resistance, if it has to be done...

    Only times I would probably support double firewall if they each supported their own internet connection, and that's mainly for redundancy purposes.

    Now I don't want to try and sound lax in security, but are you able to pull any logs off the SonicWall or Servers that might justify this increase in security?
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Here is a dumb question:

    Do you know if you have to have all 3560s (or supported switches) to run private vlans or can you have private vlans on only a few switches?
  • SteveO86SteveO86 Member Posts: 1,423
    I found a cisco chart that cover what Switches/IOS support PVLAN's Private VLAN Catalyst Switch Support Matrix - Cisco Systems So that should limit the options. Most PVLAN options are available on the higher level switches though.

    I think he used that particular model because they are layer 3 switches and it makes it look easier.
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Interesting. That's some very good information. I might have to implement pvlans in my network plan.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Regardless of which design you end up going with (single or dual firewall, etc.), be sure to audit your perimeter from both outside and inside zones. I'm currently going through the GCFW SANS course (SEC502) and it's mentioned that just about any vendor can unintentionally leak packets in different ways due to improper implementation.

    One example cited is how different firewall vendors handle fragmented packets. How about ICMP classification and "statefulness?" It's kind of amazing how the big-name vendors have screwed up some of the basics in the past. Unless you actually went through the process of running the proper tests yourself, you would never know what really went through, regardless of what you expected from looking at your firewall configs.

    I'd also suggest running the lockdown / audit wizard on your border router. You figure Cisco out of all vendors would leave a lot of things turned off by default.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    docrice wrote: »
    Regardless of which design you end up going with (single or dual firewall, etc.), be sure to audit your perimeter from both outside and inside zones. I'm currently going through the GCFW SANS course (SEC502) and it's mentioned that just about any vendor can unintentionally leak packets in different ways due to improper implementation.

    One example cited is how different firewall vendors handle fragmented packets. How about ICMP classification and "statefulness?" It's kind of amazing how the big-name vendors have screwed up some of the basics in the past. Unless you actually went through the process of running the proper tests yourself, you would never know what really went through, regardless of what you expected from looking at your firewall configs.

    I'd also suggest running the lockdown / audit wizard on your border router. You figure Cisco out of all vendors would leave a lot of things turned off by default.

    Thanks for the information. I really want to do that course but I'm not a baller like you lol. icon_sad.gif
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    For the short term something like Iptables linux box or pfsense*

    *He was actually surprised when I disagreed with him because I'm the "Find a non windows way" guy at work so he thought the moment he said something open source I would jump for it. It isn't that I am against anything opensource (very far from it) I just don't see the need to have anything in this instance.

    Unfortunately, I can't comment too terribly much on the subject matter of this thread, as my opinions may reveal operational details, and that's frowned upon.

    I will say this though - pfsense is a kickass little appliance distro, and I've had good experiences with it as an actual piece of hardware, and as a virtual machine. It beats the snot out of the equivalents like IPCop and Untangle.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Unfortunately, I can't comment too terribly much on the subject matter of this thread, as my opinions may reveal operational details, and that's frowned upon.

    I will say this though - pfsense is a kickass little appliance distro, and I've had good experiences with it as an actual piece of hardware, and as a virtual machine. It beats the snot out of the equivalents like IPCop and Untangle.


    In your personal, non work, totally forsaken_GA opinion if someone walked up to you and said choose between the aforementioned designs which one would you choose?
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    In your personal, non work, totally forsaken_GA opinion if someone walked up to you and said choose between the aforementioned designs which one would you choose?

    I think it depends entirely on the data you're protecting. The more important the data, the more I would trend toward the layered approach.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    I think it depends entirely on the data you're protecting. The more important the data, the more I would trend toward the layered approach.

    I think that is a fair thing to say.
  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    docrice wrote: »
    I'd also suggest running the lockdown / audit wizard on your border router.

    But read up on it first. I deployed a 1921 and in the lab I ran lockdown. They arent kidding when they say "lockdown". What's cool is you can see the commands first before running it and then pick and choose at the cli.

    Too bad pvlan's arent supported on 2950's...
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    phoeneous wrote: »
    But read up on it first. I deployed a 1921 and in the lab I ran lockdown. They arent kidding when they say "lockdown". What's cool is you can see the commands first before running it and then pick and choose at the cli.

    Too bad pvlan's arent supported on 2950's...


    I remember it from ccna security. I know it is pretty hardcore.
  • SteveO86SteveO86 Member Posts: 1,423
    I did a blog post on the 1 step lockdown some time ago, and also got a link to Cisco guide to hardening IOS which has a wealth of information.
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    SteveO86 wrote: »
    I did a blog post on the 1 step lockdown some time ago, and also got a link to Cisco guide to hardening IOS which has a wealth of information.


    Great information! I am going to have to give this a once over. Since our meeting about network design has been pushed back til Monday, i'll have more time to prepare my design.



    Ok I still haven't been able to figure this out. Say I have switches set up like this:

    3560>>3560>>3550

    or like this:

    3560>>3550>>3560

    or even like this:

    3550>>2950>>3560

    Could I still deploy private vlans between the two 3560s? Like if at any frames have to traverse a path that doesn't read private vlans does that negate the ability to use private vlans? Also if the direct path of the switches can read private vlans but they all terminate into switches that either don't read private vlans or aren't configured for them, does that negate the ability to use them? I hope my question makes sense lol
  • it_consultantit_consultant Member Posts: 1,903
    I tend to agree that you only need one firewall. If you are in the mood for spending money, you might as well do it right and go with a solution like IBM Proventia behind your firewall.

    IBM - Protect virtual and physical networks with IBM Security Network Intrusion Prevention System Virtual Appliance - Security Server Protection - Software

    IBM - Security Network Intrusion Prevention System - Software

    IBM - IBM Proventia® Network Enterprise Scanner - Proventia Network Enterprise Scanner - Software

    Realistically, an attacker skilled enough to get around your primary firewall will make short work of another firewall or network device that does substantially the same thing.
Sign In or Register to comment.