Solved

Firewall Philosophy and Risks

Posted on 2016-11-04
8
154 Views
Last Modified: 2016-11-27
I have a few situations where an appliance device will be installed on a site LAN and would need DCHP service, internet access with some security and with some port forwarding set up.

The site has a "main" firewall that performs all kinds of functions like virus scanning, web filtering, threat filtering, logging, etc.  There are no port forwards.  There is no DHCP service active on the LAN.

Rather than perturbing the main firewall configuration with the special requirements of the appliance, it's a fairly simple matter to add a new public IP address, a simple firewall providing DHCP to only the appliance and with the port forwards to the appliance.  This keeps things separate and contained.

Public IP Address 1 >> Main Firewall  Gateway 1  >> LAN A workstations (no DHCP service for workstations)
                                                                                            ||||| (same LAN)
Public IP Address 2 >> Simple Firewall Gateway 2>> LAN A appliance      (DHCP active for only the appliance)

The main firewall provides its security services to the "workstation population" on the LAN.  It has by far the heaviest traffic.

The simple firewall for the appliance doesn't provide much in the way of security services and only handles the appliance traffic.

(The LAN workstations have the main firewall as their gateway.  The appliance has its simpler firewall as its gateway.)

But, doing this raises an interesting question:

It could be argued that having 2 public IP addresses connecting to the same LAN is somehow "worse" from a security point of view.  But that seems more theoretical than practical because either address is equally accessible.  

It could be argued that having a "heavy duty, multifunction firewall" is "better" but is it really for the appliance traffic?

It could be argued that adding a simple firewall makes things "worse" somehow even though the heavy traffic and human-interactive traffic doesn't traverse this path.  Is the simple firewall "worse" because it doesn't offer services or because it's somehow inferior in doing the simple firewalling job?  

I'm interested in thoughtful opinions regarding the described configuration.

If someone wants to discuss alternative configurations then ask and I'll open another question.  (For example, why not put the appliance on another subnet entirely?  Here I'm going to assume this isn't feasible).
0
Comment
Question by:Fred Marshall
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 22

Expert Comment

by:Larry Struckmeyer MVP
ID: 41875054
Not sure I can cover all of that in one reply, however:

A true business class firewall should have multiple pubic/WAN ports so no need for a separate one.

If there is no DHCP server anywhere in the LAN, as you suggest, then adding one with a scope of one IP would not harm anything.  In fact, if every other device has a static IP the DHCP server could have a scope of all 254 class C IPs and it would not affect anything.

I see no point is separating the appliance to a separate public IP if the only port forwards are to it and all the internal devices are on the same subnet.
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41875085
A true business class firewall should have multiple pubic/WAN ports so no need for a separate one.
Granted.  In fact, the only reason for a separate public address would be to accomodate a separate physical firewall device.  There is no other *need* for another public/WAN port.

if every other device has a static IP the DHCP server could have a scope of all 254 class C IPs and it would not affect anything.
Yes.  I understand.  The configuration is as I'd encountered it long ago.   It is inconvenient at times (such as when setting up a new printer that has no control panel! - we no longer buy those).  But, in a somewhat IP-centric way of viewing things, it avoids laziness and pondering "where did that come from?".    And, it avoids the possibility that physical security is breached and some device gets plugged in and works!  It obviously does not avoid someone setting a static IP in the subnet.  The first is a bit "too easy" and the second is a bit "harder" - not solid but subjectively speaking.

I see no point is separating the appliance to a separate public IP if the only port forwards are to it and all the internal devices are on the same subnet.
Except I have to admit that it's easier to do in view of the nature of the "true business firewall" and me.  But indeed that would be a very reasonable way to do it.  But this is an alternate approach.  The question was focused on pros and cons of the described approach.

Thanks for the thoughtful comments!
0
 
LVL 21

Assisted Solution

by:CompProbSolv
CompProbSolv earned 250 total points
ID: 41875600
If you used a separate firewall, would the LAN side be physically isolated from the main LAN?  If so, then there would be some (slight?) benefit security-wise.  If not, then I think you'd be worse off.

I'd consider enabling DHCP on the existing firewall but, if you don't want rogue devices connecting, restrict the leases to specific MAC addresses.

I would think that the only security issue with port forwarding to a specific device would relate to that device only.  You'd have the same issue with the separate firewall.

As I wrote that, I thought of a potential issue.  If someone were able to hack into the appliance and reprogram it, if it were on the same physical network as the computers then there is some potential for it to create problems there.

If you can keep the wiring separate for the appliance, consider connecting it to one of the ports on the firewall and restricting it to traffic to and from the WAN port only.  Unless someone can hack into the appliance and then hack into your firewall from there (this seems quite unlikely), that should be very secure.

In general, I'd lean heavily toward the single "serious" firewall for this scenario and configure it to accomplish what you need securely.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 26

Author Comment

by:Fred Marshall
ID: 41875634
CompProbSolv:
If you used a separate firewall, would the LAN side be physically isolated from the main LAN?
No.  But using a separate LAN or VLAN would be a better solution.  Part of the problem is that the appliance is of low value and there is no cabling where it will reside except the current LAN cabling.  It appears that common practice is to have the appliance on the main LAN.   I suppose I could run a couple of LANs on the same cables and that would do "something" at least.

In general, I'd lean heavily toward the single "serious" firewall for this scenario and configure it to accomplish what you need securely.
Well, I suppose that would be the conventional wisdom.  What I'm looking for here is a discussion on "why?".  

My thinking goes like this (and I'm surely open to suggestions):
The "serious" firewall is no more "serious" except for its handling of serious traffic (AV, Web filtering, etc. and perhaps some "nice to have" features like failover, etc.)
A simple firewall can block traffic just as well and can do port forwarding just as well.
Is there any disagreement with that?
I can think of but a few exceptions:
For example, a better firewall might add stateful packet inspection for traffic within the LAN that might traverse the firewall.  Simpler ones don't do that. (An example is when there's a separate VPN or MPLS device on the LAN and the firewall is the gateway.  The outgoing traffic traverses the LAN side of the firewall.)
Here, my idea is to use the simple firewall as the gateway for the appliance only and the serious firewall for everything else.  

The very idea of this posed the question for me that I've posed here:
Is the simple firewall "worse" because it doesn't offer services or because it's somehow inferior in doing the simple firewalling job?  
It's always easy to think of the "better" firewall as "better" in all respects and the others as somehow inferior.  When is that justified with facts?  When is that not justified with facts?  I hope I'm conveying the idea better.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 41879733
Firewalls are thought to be more stack-complete if you will, they typically have more abilities than routers do in terms of the OSI stack. If your "2nd firewall" has no open ports incoming (ingress) and has no real ACL's to speak of beyond denying incoming traffic for the publicly addressed IP space, you can use any SOHO product for your DHCP needs. A small switch, wifi router could do just as well as a "2nd firewall". Right now I'm not understanding the need for this setup, as your "big" main firewall can have ACL's applied on all it's interfaces to be sure. If the CPU isn't being pegged at peak working times, there is no need for a second one to share the load with.
Having an IP, or many IP's isn't a security threat, having open ports with running services behind them is where the "threat" begins. NAT'ing out isn't a threat.
I think were into the weeds if we think of a layer-3 ACL being bad or worse because of the device applying such an ACL. A router blocking TCP 1.2.3.4 ports 0-65535 is the same as a switch or a firewall applying that rule. The packets are dropped equally. Where a firewall starts to shine above most switches or routers is the upper layers 4-7. Most OS's too can do good firewalling at various layers too.
-rich
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41879840
Rich,

OK.  It sounds like this is starting to make some sense to me.  
In my simple view, one differentiator is the expected traffic or traffic types.
I can see that the Layers apply to different types.

Where a firewall starts to shine above most switches or routers is the upper layers 4-7.
So, conversely, "where a simple firewall starts to dim compared to a better firewall is in the upper layers 4-7."  My question is: when does that matter?  I know you tried to answer that....
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 41880354
It doesn't, so the question is befuddling :) A block is a block I would say, it doesn't matter what appliance carries it out. Routers, Switches and OS's can be as effective as each other in blocking on Mac address or by IP (layer2/3 respectively). Some "next-gen" firewalls can read the URL destination, or content in the packets that put them in a more unique position to create blocks beyond layers 2/3. Many appliances also have DHCP available. The word 2nd firewall in this question is in my mind interchangeable with any other networking device. So then the question becomes, is this setup needed at all? I am not able to answer that, I've seen this in networking, a dedicated DHCP server for one segment or one vlan, it doesn't introduce any exposure to your org if your not opening any additional ports inside. It's always possible a certain packet may interfere with a device, but unless it somehow affects layer 3, a flaw I've not seen in a generation now (think ping of death), you aren't creating any additional security issues from the outside perspective.
-rich
0
 
LVL 26

Author Closing Comment

by:Fred Marshall
ID: 41903499
Thanks!
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question