Hi Marko,
sorry for the slow response, but given that nobody else answered,
maybe it's still relevant.
Marko Cupac wrote on Fri, Sep 14, 2018 at 02:45:30PM +0200:
> for years I have been using setup with two firewalls: "outer" one -
> FW1-BGP - connecting to upstream ISPs and talking BGP to them regarding
> my DMZ, and "inner" one - FW2-NAT, doing NAT for my LAN.
>
> ISP1 ISP2
> \ /
> [FW1-BGP]
> |
> (DMZ)
> |
> [FW2-NAT]
> |
> (LAN)
That's the normal firewall topology for any network of any significant
size and security requirements.
> (Actually, it's more complicated due to each of the firewalls having
> their CARP twin, but that shouldn't matter for my questions).
>
> I'm considering moving to setup with just one firewall (ok, two,
> because of CARP, once again it should not matter), which would connect
> to upstream ISPs, DMZ and LAN.
>
> ISP1 ISP2
> \ /
> [FW1-ALL]
> / \
> (DMZ) (LAN)
That's a poor-man's solution for somebody who cannot afford the
hardware or electricity cost for two machines. I doubt that's
the case for you.
This is discussed in very great detail, covering several chapters,
in the fundamental book by Elizabeth D. Zwicky, "Building Internet
Firewalls" (O'Reilly 2000). While in that book, lots of information
about specific services is somewhat dated, i think the part about
topologies still holds.
Of course, i cannot summarize several chapters in one sentence,
but the essence is that FW1-BGP is directly exposed to the Internet,
so in that sense, it is easy to attack and ought to do as little
as possible and be as simple as possible for optimum security,
whereas FW2-NAT is the crucial defence for your LAN and necessarily
more complex. On the one hand, that is OK because it is protected
by FW1-BGP, so it is much harder to attack in the first place.
On the other hand, you absolutely do not want FW2-NAT compromised,
because then your LAN would be wide open to attack.
To summarize, your plan will dramatically reduce the security
standard of your network in several ways. It is certainly not
a good idea for a corporate or professional firewall protecting
a network of any significant size or importance. Zwicky repeatedly
and emphatically warns against putting any other services on the
internal router (FW2-NAT in your case), in particular against
combining it with any of the DMZ hosts or with the external router
(FW1-BGP in your case).
> Any success / failure stories from admins who already went through
> this? Any pitfalls I should avoid?
Despite the above, you may be surprised that i have been running
exactly your FW1-ALL topology on the firewall router of the student
organization of the University of Karlsruhe since 2001 - except
that we have only one ISP uplink, and that's not going directly to
the Internet, but to the computing center of the university, so
there is still the university firewall separating it from the
Internet. But the protected network is small, has only a couple
dozen users, and is rarely attacked, so we didn't and don't really
need a full-blown two-layer firewall.
> Or should I just continue with my current two-firewall setup?
I find it very likely indeed that is what you want to do.
> Before enlightenment - chop wood, draw water.
> After enlightenment - chop wood, draw water.
Quite fitting motto in this case. :-)
Hope you enjoyed Bucuresti...
Yours,
Ingo
No comments:
Post a Comment