This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dual Firewall Setup [ FW > DMZ > FW > LAN ]

Hello All,

 

 

 I am currently building dual firewall network. Seeking for some advise. Am not sure if im doing it wrong. Below is my current network topology.

 

1.1.x.x       192.168.1.1                        192.168.1.10

Internet > EXT Firewall > DMZ Switch > DMZ Servers  

                                            |

                                  192.168.1.2 ( WAN interface ) 

                                   INT Firewall                    

                                  10.0.0.1      ( LAN interface )

                                           |

                                  LAN Switch > DB Server ( 10.0.0.10) (192.168.1.20 DMZ IP )

 

For example, For DMZ server to access the DB from DMZ, it has to be NATted from 192.168.1.20 to 10.0.0.10 to access DB server. Am i doing it right? Or is there any better and proper way to do so? 



This thread was automatically locked due to age.
  • Hi Samuel,

    I don't understand why you would want the complexity of a second device since everything you've described can be done more easily with a single UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

     

    Its a govt standard for certain organisation to have dual firewall.

  • Your configuration makes sense. On than general encouragement, I am not sure what information you were seeking.

    I would use UTM for the internal firewall and something else for the external firewall.  This allows you to use normal access control lists (rather than DNAT-to-DeadEnd) when you need to block a source-destination pair.

    The reason for dual firewalls is that even if the bad guys own your DMZ servers, and use them to own your external firewall, they will not own your network because there will be very limited, if any, incoming connections allowed through the internal firewall. 

    There is also an incentive to use two different devices, so that a fatal flaw in the external firewall cannot be exploited equally easily on the internal firewall.

     

  • Doug, I don't understand why the same level of security can't be provided with a DMZ and the internal LAN connected to the UTM on different interfaces.  The only factor I can see is that having two separate devices managed by two different people ensures that one person cannot create a security hole alone.  If someone leaves their firewall open to be owned by a device in the DMZ, the organization hired the wrong person and the wrong supervisor.

    That said, a government regulation is a good reason.  Just because I'm skeptical of the justification for the regulation doesn't mean it can be ignored!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • This question brought back memories of the first time that I heard the term "DMZ".   It described a DMZ architecture as some internet-accessible servers between two firewalls.   The article was actually pointing out ways that even a dual-firewall configuration can be defeated, but the concept made sense.

    These are the perceived problems with a single firewall:

    1. (Most difficult) A critical bug exploit in the firewall allows the attacker to seize control of the firewall directly.   If you only have one firewall with three interfaces, a successful capture of the firewall gives the attacker an unrestricted opportunity to attack the internal network.

    2. (Somewhat less difficult):   The attacker penetrates a DMZ server, and then uses the victim server to attack the firewall.   The firewall will be softer on the DMZ side than on the internet side, so the opportunities for attack escalation are proportionately higher.  Once the only firewall is penetrated, the internal network is exposed.

    With two firewalls:

    If attack 1 is used successfully on the first phase, that attack method is likely to fail if the second firewall is a different model.

    Whichever attack is used in phase 1, it provides little or no help for phase 2 because the second firewall treats inbound connections from the DMZ as untrusted.   Minimizing the number of open ports from DMZ to internal is essential to any defense architecture.  

    I don't like the DNAT-to-DeadEnd workaround, so if you are buying two different firewall models, I think UTM is better suited as the interior device.

    I was not saying that the two-firewall method is the only valid one, but I understand why the government thinks it is important. 

  • Hello Samuel Ip,

    from my point of view your configuration is correct. In practice I see more and more three armed configurations though. In my opinion if some attacker wants to attack YOUR organization at all costs he won't probably go through your firewall. He will try to get a backdoor through social engineering or try to install some device inside your network ...

    As stated by some users here it might be a good idea to have different devices here. If money matters you could also use a Layer 3 Switch with ACLs.

    However isn't this plain routing instead of NAT?

    >For example, For DMZ server to access the DB from DMZ, it has to be NATted from 192.168.1.20 to 10.0.0.10 to access DB server. Am i doing it right? Or is there any better and proper way >to do so? 

    Regards,

    Bernd

     
  • Yes, agreed that I understand why the two-firewall method might be required.  I suspect that that is an old requirement, not a recently-enacted one.

    I don't agree that the DMZ interface should be "softer" than the WAN interface - there should be no ports open to the LAN from there.  I bet you can find a different, more-secure solution for any "need" for an open port.

    Interesting discussion!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello,

     

    There are various way i can connect with dual setup. I can do a dual nic DMZ server and have them do static route to INT firewall as gate way, I can do it by per VLAN by servers and have firewall control every single port and rules or by NAT to access internal servers. Im trying to find the most secure way. The most secure means less flaw. I understand there are always risk whenever routed subnet exist. Im trying to minimize the risk. We are also running a decent brocade L3 switches. Question is, ppl tend to challenge whatever came in min. Example 

     

    1. What is someone hack DMZ server and DMZ server always have a NAT rules to backend server, means hacker can access backend server from the DMZ server

    2. What if someone have access to DMZ subnet, means they can do an ip scan on NAT ip to access backend server

    3. IF DMZ server has a static route to backend servers, what is the point of firewall and using dual layer if someone gain access to DMZ server?

    There are more question challenging the infra and network security. Im not a network security guys but im trying to do it right and minimize the risk.

  • Hello Bernd,

     

    >For example, For DMZ server to access the DB from DMZ, it has to be NATted from 192.168.1.20 to 10.0.0.10 to access DB server. Am i doing it right? Or is there any better and proper way >to do so? 

     

    Explanation to your question.

     

    I assume plain routing is DMZ server call DB server directly with 10.0.0.10 ip. DMZ subnet has access directly to 10.0.0.x subnet assume firewall is set to any any any.

    NATted means DMZ server calls DB server with 192.168.1.20, not directly with 10.0.0.10 as 192.168.1.x has no direct route to 10.0.0.x.

     

    Or am i wrong?