Dual physical firewall design

Hi guys, I am task to set up 2 physical firewall of different brands. I need to ask some technical question. Currently I am using a single firewall design and NAT is configured for mail and web servers. If I'm using a dual firewall design with the 1st firewall facing the internet and the 2nd one connected to the LAN with a DMZ in between, may I know how NAT is configured? Is NAT configured on the 1st firewall or 2nd firewall? Only ACL is configured on the 2nd firewall? What kind of changes am I looking at configuring? I also have site to site VPN configured. Thanks for your help.
totallypatrickAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel HelgenbergerCommented:
Can you please elaborate more on what you need to achieve? What do you mean exactly by NAT: Do you want to forward ports from the 'external' firewall though the DMZ in the LAN net?

If so, IMHO such a setup is prone to errors and would render the DMZ firewall quite useless. You can do such setups perfectly well with one firewall and different VLANs while using the other firewall as fail over. There is CARP for that, which should in theory at least work with different vendors (though I have no experience with such multi vendor setups).
0
Blue Street TechLast KnightCommented:
Hi totallypatrick,

Are you set on Cisco? If not, I'd recommend SonicWALL.
I'd agree with helge000n, you can achieve the security you want in a Next Gen firewall single unit security appliance. I don't know how many users you have there but you can do Active/Passive Hardware Failure with State Sync with any of the NSA models and in the TZ series, Active/Passive Hardware Failure with the TZ 205 & TZ 215. All SonicWALL units will do load balancing and multi-WAN fail-over as well by default.

Let me know if you have any more questions!
0
Kash2nd Line EngineerCommented:
as per above comments, one firewall would be good enough if configured properly.

whichever you want to stick to would be good enough. We sometimes use Kerio Control and for an entry level product it is very good and does what it says on the tin.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

InteraXCommented:
Following security best practice dictates using 2 separate firewalls from 2 different vendors to prevent issues from one vendor causing open holes into your internal system.

Now to the technical requirements. You will need to setup NAT from the DMZ to the internet for each service you want to publish to the interneton the external firewall. You will then need to create ACLs allowing the traffic on this firewall.

You may then need to create an idenitity NAT or NAT exemption (in Cisco ASA terminology) to prevent the traffic from being translated, though you can probably get by without this if you are not doing any NAT on this device. You may want to hide the internal IPs from the devices in the DMZ, so may publish the services to the DMZ itself first.

If you have L2L VPN requirements, you can run the VPN from the internal firewalls and publish the IPs through the external firewall or you can allow the traffic through the internal firewall and setup the L2L VPN on the external firewall. I would probably recommend using the former unless your DMZ needs access to remote sites or remote sites need access to the DMZ.
0
totallypatrickAuthor Commented:
hi helge, yes I'm trying to forward external traffic from WAN to my servers in DMZ. Normally I just do a NAT on my firewall but I need the technical expertise as how to do it if the firewalls are split into external and internal boxes.
0
totallypatrickAuthor Commented:
Hi diverseit, I'm currently on NSA 2400 firewall. Just wondering how should a dual layer firewall setup would be like
0
Blue Street TechLast KnightCommented:
Are you looking to do a HA fail-over? If so, here is what it would look like:
High Availability Example The LAN (X0) interfaces are connected to a switch on the LAN network. The WAN (X1) interfaces are connected to another switch, which connects to the Internet.

The dedicated HA interfaces (Gen5) - or the last available copper Ethernet interfaces, like X5 on Gen4 Pro models -  are connected directly to each other using a crossover cable.

Note: If you are connecting the Primary and Backup appliances to an Ethernet switch that uses the spanning tree protocol, be aware that it may be necessary to adjust the link activation time on the switch port that the SonicWALL interfaces connect to. E.g., on a Cisco Catalyst-series switch, it is necessary to activate spanning tree port fast for each port connecting to the SonicWALL security appliance’s interfaces.

This is the high-level overview but if you need a step-by-step on the config, let me know and I can supply it!
0
totallypatrickAuthor Commented:
Nope i'm not looking into a HA failover. I'm trying to achieve this

WAN <--> 1st Tier Firewall <--> DMZ <--> 2nd Tier Firewall <--> Internal LAN
0
InteraXCommented:
Have you decided on vendor for each of the firewalls? Do you know which subnets need access to the DMZ all the other rules you need in place?
0
mannyfernandezCommented:
Not sure the regulatory compliance issues you are dealing with but as other have stated, it is "Normally" not required.  And the DMZ you speak about, although still viable, is not used normally.  Again, this is a design decision and if you have regualtory compliance issues, then very well.

My suggestion:

Forward facing firewall:
If this firewall is to allow only mass traffic , that is HTTP, SMTP etc, you may be able to get my using (assuming you have a Cisco router on the edge) the router with ZBFW or CBAC feature.  If you are going to use either, I would opted for the Zone-Based especially if you will have another "zone" to protect.


Inside Facing Firewall:
This Firewall can be any of the Next Gen firewalls that will meet your specific requirements (content filtering, IPS, L4-7 etc).  My personal recommendation is a PaloAlto Networks firewall.  For specific L4-L7, I would look at PaloAlto Networks first, Fortinet Second.  I personally do not like Sonic Wall.  It is mainly for mom and pop, although they have a model they call "Super Massive" (Ridiculous name in my opinion).

As for your VPN decryption domain, it would depend what resources VPN users will be using.  Remember that if you terminate on the 'outside' firewall, the packets will not be encrypted as they pass "by" your DMZ.  If they will primarily terminate to access internal resources, I would terminate on the Inside firewall.  All you would need to do is:

Option 1:
If the ISP gives you another range (or if you have a large range you can subnet), you could assign a non-RFC 1918 address space to the transit network (between the Outside and Inside).  This would allow you to route that subnet to the inside without mucking around with NATing.  You could filter IP protocol 50 for ESP or 51 for AH (I recommend ESP since AH does not do encryption), and IKE (UDP 500 or 4500 if you are doing NAT traversal) and you should be OK.

Option 2:
Create a One-to-One NAT on the outside firewall for the Inside Firewall's IP where the IPSec is configured.  Then create an ACL/Policy/Rule on the outside firewall permitting the same IP 50, UDP 500/4500 and make the NAT Bi-directional.

On a Cisco it would be:

access-list outside-access-in extended permit esp any* %internal firewall IP%**
access-list outside-access-in extended permit udp any* %internal firewall IP%** eq 500
access-list outside-access-in extended permit udp any* %internal firewall IP%** eq 4500

Open in new window

!
access-group outside-access-in in interface outside

Open in new window

!
* You could create a group-objet defining what Host you want to allow to VPN (if the VPNs are site-to-site with a fixed IP).

** This is assuming you are running the 8.3> of ASA code.  If it is the 8.2<, replace the internal IP with the external (public).

8.2 Code NAT command:
static (inside, outside) %public-ip% %private-ip% 

Open in new window


8.3 Code or Above
nat (inside,outside) source %internal-ip% %public-ip%

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Daniel HelgenbergerCommented:
Hello mannyfernandez,

just wanted say thanks for your interesting post on the matter (I myself was about to write about 1:1 NAT, but you have done the better job by far).  

I also think terminating VPN on the inside firewall will be the best option. The public subnet (option 1) is by far the best for a DMZ. I had not thought about that!

Option 2 can be quite tricky to set up in my experience. Manual outbound NAT would be needed on the internal firewall and this is often not very transparent and subject to misconfiguration; this is what I meant in my first post.
0
mannyfernandezCommented:
Actually 'helge000' makes a good point.  I did not mention transparent firewall as an option.  This option would allow you to have the same Subnet on you 'internal' and 'DMZ'.  You could have a transparent FW behind the outside FW.

Ideally though, you could have a single firewall with multiple interfaces; one of which is a DMZ.  This way you would force all traffic into the DMZ and only allow particular traffic to-and-fro.

Manny
0
Blue Street TechLast KnightCommented:
@totallypatrick - What is your fundamental goal or purpose for this architecture? What are you trying to achieve?

FYI: This type of architecture is also known as "one out of two" (1oo2) protection scheme.

I can't recommend this config because this architecture that you desire is very deprecated now - it's outdated and will only overly complicate something that doesn't need to be and cost you more in hardware, licensing & management costs to achieve the very same thing, if not better, using a single, standalone, Next-Gen firewall utilizing Zones and a DMZ.

Keep in mind when using a 1oo2 topology or multiple firewall topology between the public Internet and private networks in order to attain this now superannuated "higher risk mitigation" there are some simple rules that must be followed:
1. Both firewalls must inspect all seven layers of the OSI model.
2. Using a packet filter firewall that inspects packets only up to layer 4 of the OSI model as your first firewall and a firewall that inspects all seven layers of the OSI model as your second firewall effectively eliminates any risk mitigation at the same time it decreases overall reliability and manageability when compared to using a single standalone firewall.
3. The inspection methodologies must use disparate technology.
4. Using two firewalls that inspect all seven layers of the OSI model but rely on the same software and inspection methodology provides little, if any, risk mitigation while at the same time it decreases overall reliability when compared to using a standalone firewall.
5. The firewalls must operate on top of disparate operating systems.
6. Using the same operating system on both firewalls reduces risk mitigation since a single exploit of the operating system can take out both firewalls.

@mannyfernandez -
I personally do not like Sonic Wall.  It is mainly for mom and pop, although they have a model they call "Super Massive" (Ridiculous name in my opinion).
I don't mind your postulative opinion but when you make comments like they are for "mom & pop shops" you beg for a rebuttal. You are way off here and this couldn't be further from the truth...take a look at the numbers. BTW the SuperMassive can pass 40Gbps in DPI throughput - SonicWALL has been dominating over Cisco & Fortinet for some time now. Fortinet is not even worth talking about competitively. In fact regarding Next Gen products Cisco has fallen way behind in terms of throughput, performance and security adaptation. Only recently have they made a semi-competitive release of their ASA series. While I agree with you that the "SuperMassive" is a ridiculous name...it's just a name at the end of the day. If you are looking at these more objectively you'd be able to see that they are not only competitors but they have been pulling in the lead for their ability to perform and secure. Older SonicWALLs  (say 6 yrs ago) I couldn't say the same thing about them as I could today. 6 yrs ago I'd be recommending Cisco. But in order for one to be a good security expert one must remain as object about the technology as possible in order to achieve the greatest results with the most benefits in security.

We have 300 and 500 server datacenters running SonicWALLs all day long - nothing currently compares to the total value, shear throughput and security.
0
mannyfernandezCommented:
Was not trying to offend you or Sonic Wall.  It is the same stigma that is attached to Symantec.  Although they have some great products, they are still considered by most in the industry as a PC Anti-Virus company and are generally not taken serious on the grander enterprise markets as is Barracuda.  For the latter, it will be difficult even though they have a huge portfolio and have somewhat decent products.

I am very much aware of the limitations of Cisco and as such, made it specifically clear by stating "My personal recommendation is a PaloAlto Networks firewall" and from my explanation, offensive remarks not withstanding, I am very much vendor neutral.  Just because I do not "personally" like the SonicWall does not mean that I am narrow minded to the technologies of different solutions and their capabilities.  I suggested the CBAC/ZBFW as an option because a majority of people run Cisco routers on the edge and based on the model of Sonic wall the author is running, I assumed that he was not running "300 and 500 server datacenters running SonicWALLs all day long".  With that said, if the author is looking to comply with a regulatory requirement he could achieve it without having to make any CAPEX.

For a person decrying biases. you seem to be a bit bias toward SonicWall.  Maybe you too should review some numbers, as the speeds and feeds will tell you that you are not 100% on your statements.  I believe that the FortiGate-5140B is a pretty impressive box.   Is Cisco the best solution for everything?  No, but I am sure that everyone from Juniper to ZyXel wish they had the marketshare that Cisco has.  I am very much aware of Cisco's issues and their limitations nor do I think they are the "silver bullet". I am actually in San Jose the past two weeks at a Cisco Bootcamp and have made my issues clear.  I am curious to see what comes out of the acquisition of SourceFire.  I remain vigilant.  There is not doubt that they will develop or acquire the technology if they so choose.  I am not so optonistic about PaloAlto though.  They will be acquired soon unless they re-invent themselves as the Next-Next Gen Firewall.
   
I will say that I am a little taken aback since I thought this was a different kind of forum where it was people helping others and chips where removed from the shoulder and left at the login page.  I have posted answers to many questions to find other have given a solution that I do not agree with and I make sure not to hijack an author's question with me grandstanding on my soapbox; and yet here I am.  

Good day sir.  I hope the author found the answer to his question.

@totallypatrick - My deepest apologies for engaging in the hi-jack of your question.  And yes as @diverseit stated explicitly and I, implicitly, if you decide to move forward with the design, you should have different platforms.  The notion is, if you have a SonicWall running vXYZ of code on both firewalls, the assumption is they will repeat whatever they did to bypass the first firewall.
0
Blue Street TechLast KnightCommented:
@mannyfernandez - Don't worry, you did not offend me - it takes a lot more than name brands and technology to get me worked up. Yes, most assuredly we are all here to help and learn. I made my point in terms of the Author's (@totallypatrick) best interests. Although we are agreeing fundamentally in principal, you didn't have to weigh-in with opinion and he already has a SonicWALL. Therefore, I didn't want the Question to get clouded with the idea that he has to go purchase new gear (because by your opinion, his gear would not be good enough to do the job (e.g. "...is for mom and pop shops")), and I'm always up for an argument.

Sometimes, there is a place for a small argument especially when a difference of opinion is struck between two Experts as long as it is related and doesn't overtake the Question, in which case I feel it hasn't here as we have already laid out the answer to this Question several times over.

If you feel this was hijacking...then I guess one could argue we both blew it! My apologies and respect. :)

Cheers!

P.S. What is the discussion about regulator compliance that has started here? I don't believe there is any discussion about it from @totallypatrick. If I'm wrong, please correct me so I can better understand.
0
mannyfernandezCommented:
Very well.  I responded at 4:00am and I probably should have not responded until later today.  As for regulatory issues,  just an assumption.  Sometimes the auditors / regulators want you to jump through hoops while not understanding the technology.   I am fine.  We will probably be running into each other here so, better to make allys then enemies.  Have a great day.
0
Blue Street TechLast KnightCommented:
@totallypatrick - Any updates or questions you still have?
0
totallypatrickAuthor Commented:
Thanks all for the positive comments. I guess I will go for a single Next Gen Firewall instead of a dual firewall design.
0
totallypatrickAuthor Commented:
Clear and concise
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.