Solved

Firewall Philosophy and Risks

Posted on 2016-11-04
8
57 Views
Last Modified: 2016-11-27
I have a few situations where an appliance device will be installed on a site LAN and would need DCHP service, internet access with some security and with some port forwarding set up.

The site has a "main" firewall that performs all kinds of functions like virus scanning, web filtering, threat filtering, logging, etc.  There are no port forwards.  There is no DHCP service active on the LAN.

Rather than perturbing the main firewall configuration with the special requirements of the appliance, it's a fairly simple matter to add a new public IP address, a simple firewall providing DHCP to only the appliance and with the port forwards to the appliance.  This keeps things separate and contained.

Public IP Address 1 >> Main Firewall  Gateway 1  >> LAN A workstations (no DHCP service for workstations)
                                                                                            ||||| (same LAN)
Public IP Address 2 >> Simple Firewall Gateway 2>> LAN A appliance      (DHCP active for only the appliance)

The main firewall provides its security services to the "workstation population" on the LAN.  It has by far the heaviest traffic.

The simple firewall for the appliance doesn't provide much in the way of security services and only handles the appliance traffic.

(The LAN workstations have the main firewall as their gateway.  The appliance has its simpler firewall as its gateway.)

But, doing this raises an interesting question:

It could be argued that having 2 public IP addresses connecting to the same LAN is somehow "worse" from a security point of view.  But that seems more theoretical than practical because either address is equally accessible.  

It could be argued that having a "heavy duty, multifunction firewall" is "better" but is it really for the appliance traffic?

It could be argued that adding a simple firewall makes things "worse" somehow even though the heavy traffic and human-interactive traffic doesn't traverse this path.  Is the simple firewall "worse" because it doesn't offer services or because it's somehow inferior in doing the simple firewalling job?  

I'm interested in thoughtful opinions regarding the described configuration.

If someone wants to discuss alternative configurations then ask and I'll open another question.  (For example, why not put the appliance on another subnet entirely?  Here I'm going to assume this isn't feasible).
0
Comment
Question by:Fred Marshall
8 Comments
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
Comment Utility
Not sure I can cover all of that in one reply, however:

A true business class firewall should have multiple pubic/WAN ports so no need for a separate one.

If there is no DHCP server anywhere in the LAN, as you suggest, then adding one with a scope of one IP would not harm anything.  In fact, if every other device has a static IP the DHCP server could have a scope of all 254 class C IPs and it would not affect anything.

I see no point is separating the appliance to a separate public IP if the only port forwards are to it and all the internal devices are on the same subnet.
0
 
LVL 25

Author Comment

by:Fred Marshall
Comment Utility
A true business class firewall should have multiple pubic/WAN ports so no need for a separate one.
Granted.  In fact, the only reason for a separate public address would be to accomodate a separate physical firewall device.  There is no other *need* for another public/WAN port.

if every other device has a static IP the DHCP server could have a scope of all 254 class C IPs and it would not affect anything.
Yes.  I understand.  The configuration is as I'd encountered it long ago.   It is inconvenient at times (such as when setting up a new printer that has no control panel! - we no longer buy those).  But, in a somewhat IP-centric way of viewing things, it avoids laziness and pondering "where did that come from?".    And, it avoids the possibility that physical security is breached and some device gets plugged in and works!  It obviously does not avoid someone setting a static IP in the subnet.  The first is a bit "too easy" and the second is a bit "harder" - not solid but subjectively speaking.

I see no point is separating the appliance to a separate public IP if the only port forwards are to it and all the internal devices are on the same subnet.
Except I have to admit that it's easier to do in view of the nature of the "true business firewall" and me.  But indeed that would be a very reasonable way to do it.  But this is an alternate approach.  The question was focused on pros and cons of the described approach.

Thanks for the thoughtful comments!
0
 
LVL 20

Assisted Solution

by:CompProbSolv
CompProbSolv earned 250 total points
Comment Utility
If you used a separate firewall, would the LAN side be physically isolated from the main LAN?  If so, then there would be some (slight?) benefit security-wise.  If not, then I think you'd be worse off.

I'd consider enabling DHCP on the existing firewall but, if you don't want rogue devices connecting, restrict the leases to specific MAC addresses.

I would think that the only security issue with port forwarding to a specific device would relate to that device only.  You'd have the same issue with the separate firewall.

As I wrote that, I thought of a potential issue.  If someone were able to hack into the appliance and reprogram it, if it were on the same physical network as the computers then there is some potential for it to create problems there.

If you can keep the wiring separate for the appliance, consider connecting it to one of the ports on the firewall and restricting it to traffic to and from the WAN port only.  Unless someone can hack into the appliance and then hack into your firewall from there (this seems quite unlikely), that should be very secure.

In general, I'd lean heavily toward the single "serious" firewall for this scenario and configure it to accomplish what you need securely.
0
 
LVL 25

Author Comment

by:Fred Marshall
Comment Utility
CompProbSolv:
If you used a separate firewall, would the LAN side be physically isolated from the main LAN?
No.  But using a separate LAN or VLAN would be a better solution.  Part of the problem is that the appliance is of low value and there is no cabling where it will reside except the current LAN cabling.  It appears that common practice is to have the appliance on the main LAN.   I suppose I could run a couple of LANs on the same cables and that would do "something" at least.

In general, I'd lean heavily toward the single "serious" firewall for this scenario and configure it to accomplish what you need securely.
Well, I suppose that would be the conventional wisdom.  What I'm looking for here is a discussion on "why?".  

My thinking goes like this (and I'm surely open to suggestions):
The "serious" firewall is no more "serious" except for its handling of serious traffic (AV, Web filtering, etc. and perhaps some "nice to have" features like failover, etc.)
A simple firewall can block traffic just as well and can do port forwarding just as well.
Is there any disagreement with that?
I can think of but a few exceptions:
For example, a better firewall might add stateful packet inspection for traffic within the LAN that might traverse the firewall.  Simpler ones don't do that. (An example is when there's a separate VPN or MPLS device on the LAN and the firewall is the gateway.  The outgoing traffic traverses the LAN side of the firewall.)
Here, my idea is to use the simple firewall as the gateway for the appliance only and the serious firewall for everything else.  

The very idea of this posed the question for me that I've posed here:
Is the simple firewall "worse" because it doesn't offer services or because it's somehow inferior in doing the simple firewalling job?  
It's always easy to think of the "better" firewall as "better" in all respects and the others as somehow inferior.  When is that justified with facts?  When is that not justified with facts?  I hope I'm conveying the idea better.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Firewalls are thought to be more stack-complete if you will, they typically have more abilities than routers do in terms of the OSI stack. If your "2nd firewall" has no open ports incoming (ingress) and has no real ACL's to speak of beyond denying incoming traffic for the publicly addressed IP space, you can use any SOHO product for your DHCP needs. A small switch, wifi router could do just as well as a "2nd firewall". Right now I'm not understanding the need for this setup, as your "big" main firewall can have ACL's applied on all it's interfaces to be sure. If the CPU isn't being pegged at peak working times, there is no need for a second one to share the load with.
Having an IP, or many IP's isn't a security threat, having open ports with running services behind them is where the "threat" begins. NAT'ing out isn't a threat.
I think were into the weeds if we think of a layer-3 ACL being bad or worse because of the device applying such an ACL. A router blocking TCP 1.2.3.4 ports 0-65535 is the same as a switch or a firewall applying that rule. The packets are dropped equally. Where a firewall starts to shine above most switches or routers is the upper layers 4-7. Most OS's too can do good firewalling at various layers too.
-rich
0
 
LVL 25

Author Comment

by:Fred Marshall
Comment Utility
Rich,

OK.  It sounds like this is starting to make some sense to me.  
In my simple view, one differentiator is the expected traffic or traffic types.
I can see that the Layers apply to different types.

Where a firewall starts to shine above most switches or routers is the upper layers 4-7.
So, conversely, "where a simple firewall starts to dim compared to a better firewall is in the upper layers 4-7."  My question is: when does that matter?  I know you tried to answer that....
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
Comment Utility
It doesn't, so the question is befuddling :) A block is a block I would say, it doesn't matter what appliance carries it out. Routers, Switches and OS's can be as effective as each other in blocking on Mac address or by IP (layer2/3 respectively). Some "next-gen" firewalls can read the URL destination, or content in the packets that put them in a more unique position to create blocks beyond layers 2/3. Many appliances also have DHCP available. The word 2nd firewall in this question is in my mind interchangeable with any other networking device. So then the question becomes, is this setup needed at all? I am not able to answer that, I've seen this in networking, a dedicated DHCP server for one segment or one vlan, it doesn't introduce any exposure to your org if your not opening any additional ports inside. It's always possible a certain packet may interfere with a device, but unless it somehow affects layer 3, a flaw I've not seen in a generation now (think ping of death), you aren't creating any additional security issues from the outside perspective.
-rich
0
 
LVL 25

Author Closing Comment

by:Fred Marshall
Comment Utility
Thanks!
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now