[147348] in North American Network Operators' Group
Re: BGP and Firewalls...
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Wed Dec 7 13:38:42 2011
Date: Wed, 7 Dec 2011 10:36:53 -0800
From: Leo Bicknell <bicknell@ufp.org>
To: "nanog@nanog.org" <nanog@nanog.org>
Mail-Followup-To: "nanog@nanog.org" <nanog@nanog.org>
In-Reply-To: <922ACC42D498884AA02B3565688AF995340255F8A3@USEXMBS01.mwd.h2o>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--d6Gm4EdcadzBjdND
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Wed, Dec 07, 2011 at 10:19:58AM -0800, Holmes,David=
A wrote:
> My concern is whether or not consolidating border router and firewall fun=
ctions in the same device violates, if not explicitly, then the spirit of t=
he "defense in depth" Internet edge design principle. Here is a link to a D=
epartment of Homeland Security document where this is discussed (for contro=
l systems, but has general application), but not addressed directly: http:/=
/www.inl.gov/technicalpublications/Documents/3375141.pdf
I don't think you're looking at defense in depth in the right way,
and thus your question doesn't quite make sense.
If you look at the attack vector described in the paper you link
it shows what many of us in the ISP world call the "soft gooey
center". As you see the attacker finds a way to bypass the corporate
firewall, and once inside the network there are no further controls
to prevent the attacker from hopping between corporate desktops,
corporate servers, and eventually a SCADA network.
Defense in depth is about internal compartmentalization. The diagram
shows deploying additional firewalls between corporate LAN users
and corporate servers, and then again between corproate servers and
SCADA networks. The idea is even if the attacker is able to bypass
one firewall, they have to pass through a second to get to another
zone.
Even with a defense in depth design with these multiple firewalls
(really, access control points), there is still the question you
ask, should the checkpoint devices be multiple boxes (e.g. firewall
and IDS in separate chassis) or unified boxes (firewall+IDS in a
single box). It's really a totally orthogonal question.
What defense in depth does not allow you to do (from my understanding)
is consolidate these multiple firewall functions into one large
virtual firewall, because then you're back to a single point of
failure/control.
To summarize, "defense in depth" requires access control and
monitoring between different security zones, and that those access
control devices be not shared with devices handling other zones.
The devices themselves can include multiple functions on a single
device without affecting the strategy.
Is stacking functions on one device a good idea? Well, millions of
residential users do it (firewall+ids+ips all in one), and plenty of
corporate users have had trouble scaling all in one devices. Multiple
devices provides greater opportunity to select best in breed, but adds
more failure points and more things to manage and coorolate. Which
tradeoffs are best for you and your network is something that can't be
easily answered with a rule, or by someone else on the Internet.
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--d6Gm4EdcadzBjdND
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iQIVAwUBTt+yRbN3O8aJIdTMAQIbqg//bx21ZV1cKXoIfc1g/vXZLvpk6S7RvmH2
aVK6dVHsf+VeQKp/ZTTbS6FvPSG1L9yndUkhMpdVkvdV0fizv1CPw6TKZ67XvZmy
8DY9bNFkb19jP1DEh+/VVVk7z5AkmZolcMxvAR0GIpaiaMTSPtiggnSdHDGQzNY7
XdsIA4dGwJVB1DDXU5GBLP15ynYHyVam+09DxDRgyDwrPQ5hyKD4evYJxtEIb+1s
l3bDyORSSibzL2XbEfJakVMy1W7bhOuXMCUeNRaG9gFM6aYoP0Mklij7a03SJxds
8sU908w7qRBz0O9UWVYQ75m1P/3Shmxcw+GbHQOJe1udHtyG3pE7u1vL7G9dDe8g
D/Iq7Pz01mK2+Dq3l92bN5A4e9Ye7bpDUgWAVw9zoZAJMi7+6TWy/IrJjMPOtlWW
jdCpwFpLJGbuWQos0OrSAeR1b8JDvbHeWGnn852AEpK+3vCNmwl1bz6dEReAztUe
mPZy3W2BL7pA2Q62IK9gCd8jaoJSE2ggw9Cdsph33rVmHylrZBTR0Gdy8pfrLExq
S7wq4qJ7mPvO2PBAAf6qWw9rgWoGsjb5uzO9TVz7t9PChC1jnU+WeI76bNJG49mt
Kc1T4YQChjb5z/UCV2vkQZ5LI4oCnKpc2g/nHsYsMHlElRFU/csV/E8GrxIwD3m2
C1YVq/1SgdI=
=dkXw
-----END PGP SIGNATURE-----
--d6Gm4EdcadzBjdND--
