Firewall Philosophy and Risks
I have a few situations where an appliance device will be installed on a site LAN and would need DCHP service, internet access with some security and with some port forwarding set up.
The site has a "main" firewall that performs all kinds of functions like virus scanning, web filtering, threat filtering, logging, etc. There are no port forwards. There is no DHCP service active on the LAN.
Rather than perturbing the main firewall configuration with the special requirements of the appliance, it's a fairly simple matter to add a new public IP address, a simple firewall providing DHCP to only the appliance and with the port forwards to the appliance. This keeps things separate and contained.
Public IP Address 1 >> Main Firewall Gateway 1 >> LAN A workstations (no DHCP service for workstations)
||||| (same LAN)
Public IP Address 2 >> Simple Firewall Gateway 2>> LAN A appliance (DHCP active for only the appliance)
The main firewall provides its security services to the "workstation population" on the LAN. It has by far the heaviest traffic.
The simple firewall for the appliance doesn't provide much in the way of security services and only handles the appliance traffic.
(The LAN workstations have the main firewall as their gateway. The appliance has its simpler firewall as its gateway.)
But, doing this raises an interesting question:
It could be argued that having 2 public IP addresses connecting to the same LAN is somehow "worse" from a security point of view. But that seems more theoretical than practical because either address is equally accessible.
It could be argued that having a "heavy duty, multifunction firewall" is "better" but is it really for the appliance traffic?
It could be argued that adding a simple firewall makes things "worse" somehow even though the heavy traffic and human-interactive traffic doesn't traverse this path. Is the simple firewall "worse" because it doesn't offer services or because it's somehow inferior in doing the simple firewalling job?
I'm interested in thoughtful opinions regarding the described configuration.
If someone wants to discuss alternative configurations then ask and I'll open another question. (For example, why not put the appliance on another subnet entirely? Here I'm going to assume this isn't feasible).
The site has a "main" firewall that performs all kinds of functions like virus scanning, web filtering, threat filtering, logging, etc. There are no port forwards. There is no DHCP service active on the LAN.
Rather than perturbing the main firewall configuration with the special requirements of the appliance, it's a fairly simple matter to add a new public IP address, a simple firewall providing DHCP to only the appliance and with the port forwards to the appliance. This keeps things separate and contained.
Public IP Address 1 >> Main Firewall Gateway 1 >> LAN A workstations (no DHCP service for workstations)
||||| (same LAN)
Public IP Address 2 >> Simple Firewall Gateway 2>> LAN A appliance (DHCP active for only the appliance)
The main firewall provides its security services to the "workstation population" on the LAN. It has by far the heaviest traffic.
The simple firewall for the appliance doesn't provide much in the way of security services and only handles the appliance traffic.
(The LAN workstations have the main firewall as their gateway. The appliance has its simpler firewall as its gateway.)
But, doing this raises an interesting question:
It could be argued that having 2 public IP addresses connecting to the same LAN is somehow "worse" from a security point of view. But that seems more theoretical than practical because either address is equally accessible.
It could be argued that having a "heavy duty, multifunction firewall" is "better" but is it really for the appliance traffic?
It could be argued that adding a simple firewall makes things "worse" somehow even though the heavy traffic and human-interactive traffic doesn't traverse this path. Is the simple firewall "worse" because it doesn't offer services or because it's somehow inferior in doing the simple firewalling job?
I'm interested in thoughtful opinions regarding the described configuration.
If someone wants to discuss alternative configurations then ask and I'll open another question. (For example, why not put the appliance on another subnet entirely? Here I'm going to assume this isn't feasible).
ASKER
A true business class firewall should have multiple pubic/WAN ports so no need for a separate one.Granted. In fact, the only reason for a separate public address would be to accomodate a separate physical firewall device. There is no other *need* for another public/WAN port.
if every other device has a static IP the DHCP server could have a scope of all 254 class C IPs and it would not affect anything.Yes. I understand. The configuration is as I'd encountered it long ago. It is inconvenient at times (such as when setting up a new printer that has no control panel! - we no longer buy those). But, in a somewhat IP-centric way of viewing things, it avoids laziness and pondering "where did that come from?". And, it avoids the possibility that physical security is breached and some device gets plugged in and works! It obviously does not avoid someone setting a static IP in the subnet. The first is a bit "too easy" and the second is a bit "harder" - not solid but subjectively speaking.
I see no point is separating the appliance to a separate public IP if the only port forwards are to it and all the internal devices are on the same subnet.Except I have to admit that it's easier to do in view of the nature of the "true business firewall" and me. But indeed that would be a very reasonable way to do it. But this is an alternate approach. The question was focused on pros and cons of the described approach.
Thanks for the thoughtful comments!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
CompProbSolv:
My thinking goes like this (and I'm surely open to suggestions):
The "serious" firewall is no more "serious" except for its handling of serious traffic (AV, Web filtering, etc. and perhaps some "nice to have" features like failover, etc.)
A simple firewall can block traffic just as well and can do port forwarding just as well.
Is there any disagreement with that?
I can think of but a few exceptions:
For example, a better firewall might add stateful packet inspection for traffic within the LAN that might traverse the firewall. Simpler ones don't do that. (An example is when there's a separate VPN or MPLS device on the LAN and the firewall is the gateway. The outgoing traffic traverses the LAN side of the firewall.)
Here, my idea is to use the simple firewall as the gateway for the appliance only and the serious firewall for everything else.
The very idea of this posed the question for me that I've posed here:
Is the simple firewall "worse" because it doesn't offer services or because it's somehow inferior in doing the simple firewalling job?
It's always easy to think of the "better" firewall as "better" in all respects and the others as somehow inferior. When is that justified with facts? When is that not justified with facts? I hope I'm conveying the idea better.
If you used a separate firewall, would the LAN side be physically isolated from the main LAN?No. But using a separate LAN or VLAN would be a better solution. Part of the problem is that the appliance is of low value and there is no cabling where it will reside except the current LAN cabling. It appears that common practice is to have the appliance on the main LAN. I suppose I could run a couple of LANs on the same cables and that would do "something" at least.
In general, I'd lean heavily toward the single "serious" firewall for this scenario and configure it to accomplish what you need securely.Well, I suppose that would be the conventional wisdom. What I'm looking for here is a discussion on "why?".
My thinking goes like this (and I'm surely open to suggestions):
The "serious" firewall is no more "serious" except for its handling of serious traffic (AV, Web filtering, etc. and perhaps some "nice to have" features like failover, etc.)
A simple firewall can block traffic just as well and can do port forwarding just as well.
Is there any disagreement with that?
I can think of but a few exceptions:
For example, a better firewall might add stateful packet inspection for traffic within the LAN that might traverse the firewall. Simpler ones don't do that. (An example is when there's a separate VPN or MPLS device on the LAN and the firewall is the gateway. The outgoing traffic traverses the LAN side of the firewall.)
Here, my idea is to use the simple firewall as the gateway for the appliance only and the serious firewall for everything else.
The very idea of this posed the question for me that I've posed here:
Is the simple firewall "worse" because it doesn't offer services or because it's somehow inferior in doing the simple firewalling job?
It's always easy to think of the "better" firewall as "better" in all respects and the others as somehow inferior. When is that justified with facts? When is that not justified with facts? I hope I'm conveying the idea better.
Firewalls are thought to be more stack-complete if you will, they typically have more abilities than routers do in terms of the OSI stack. If your "2nd firewall" has no open ports incoming (ingress) and has no real ACL's to speak of beyond denying incoming traffic for the publicly addressed IP space, you can use any SOHO product for your DHCP needs. A small switch, wifi router could do just as well as a "2nd firewall". Right now I'm not understanding the need for this setup, as your "big" main firewall can have ACL's applied on all it's interfaces to be sure. If the CPU isn't being pegged at peak working times, there is no need for a second one to share the load with.
Having an IP, or many IP's isn't a security threat, having open ports with running services behind them is where the "threat" begins. NAT'ing out isn't a threat.
I think were into the weeds if we think of a layer-3 ACL being bad or worse because of the device applying such an ACL. A router blocking TCP 1.2.3.4 ports 0-65535 is the same as a switch or a firewall applying that rule. The packets are dropped equally. Where a firewall starts to shine above most switches or routers is the upper layers 4-7. Most OS's too can do good firewalling at various layers too.
-rich
Having an IP, or many IP's isn't a security threat, having open ports with running services behind them is where the "threat" begins. NAT'ing out isn't a threat.
I think were into the weeds if we think of a layer-3 ACL being bad or worse because of the device applying such an ACL. A router blocking TCP 1.2.3.4 ports 0-65535 is the same as a switch or a firewall applying that rule. The packets are dropped equally. Where a firewall starts to shine above most switches or routers is the upper layers 4-7. Most OS's too can do good firewalling at various layers too.
-rich
ASKER
Rich,
OK. It sounds like this is starting to make some sense to me.
In my simple view, one differentiator is the expected traffic or traffic types.
I can see that the Layers apply to different types.
OK. It sounds like this is starting to make some sense to me.
In my simple view, one differentiator is the expected traffic or traffic types.
I can see that the Layers apply to different types.
Where a firewall starts to shine above most switches or routers is the upper layers 4-7.So, conversely, "where a simple firewall starts to dim compared to a better firewall is in the upper layers 4-7." My question is: when does that matter? I know you tried to answer that....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks!
A true business class firewall should have multiple pubic/WAN ports so no need for a separate one.
If there is no DHCP server anywhere in the LAN, as you suggest, then adding one with a scope of one IP would not harm anything. In fact, if every other device has a static IP the DHCP server could have a scope of all 254 class C IPs and it would not affect anything.
I see no point is separating the appliance to a separate public IP if the only port forwards are to it and all the internal devices are on the same subnet.