Firewall Philosophy and Risks
Posted on 2016-11-04
I have a few situations where an appliance device will be installed on a site LAN and would need DCHP service, internet access with some security and with some port forwarding set up.
The site has a "main" firewall that performs all kinds of functions like virus scanning, web filtering, threat filtering, logging, etc. There are no port forwards. There is no DHCP service active on the LAN.
Rather than perturbing the main firewall configuration with the special requirements of the appliance, it's a fairly simple matter to add a new public IP address, a simple firewall providing DHCP to only the appliance and with the port forwards to the appliance. This keeps things separate and contained.
Public IP Address 1 >> Main Firewall Gateway 1 >> LAN A workstations (no DHCP service for workstations)
||||| (same LAN)
Public IP Address 2 >> Simple Firewall Gateway 2>> LAN A appliance (DHCP active for only the appliance)
The main firewall provides its security services to the "workstation population" on the LAN. It has by far the heaviest traffic.
The simple firewall for the appliance doesn't provide much in the way of security services and only handles the appliance traffic.
(The LAN workstations have the main firewall as their gateway. The appliance has its simpler firewall as its gateway.)
But, doing this raises an interesting question:
It could be argued that having 2 public IP addresses connecting to the same LAN is somehow "worse" from a security point of view. But that seems more theoretical than practical because either address is equally accessible.
It could be argued that having a "heavy duty, multifunction firewall" is "better" but is it really for the appliance traffic?
It could be argued that adding a simple firewall makes things "worse" somehow even though the heavy traffic and human-interactive traffic doesn't traverse this path. Is the simple firewall "worse" because it doesn't offer services or because it's somehow inferior in doing the simple firewalling job?
I'm interested in thoughtful opinions regarding the described configuration.
If someone wants to discuss alternative configurations then ask and I'll open another question. (For example, why not put the appliance on another subnet entirely? Here I'm going to assume this isn't feasible).