Monday, July 5, 2010

Redundant firewalls

I was just talking to someone at a company which we occasionally deal with and they hadn't heard of this before, but they liked the sound of it:

Don't have just one firewall, but have two. Make sure they are from two different companies/manufacturers.

I was aware of this for as long as I have been in the business world, so it didn't even occur to me that others hadn't thought of it yet. (that said, due to no funding, where I work currently only has a single firewall - still works okay for us)

The thinking being that you set it up something like this:
Internet - Firewall A - Firewall B - Intranet

That way if Firewall A turns out to have a security hole in it and it gets compromised, then Firewall B is still in place and theoretically shouldn't have the same security hole in it. Of course if Firewall B has the hole, then the reverse applies and Firewall A would block people out and they couldn't even get to Firewall B to test it out.
With that, it should be obvious that it will take twice the configuration hassle and you are passing ports through between the two. Also note that you don't want your login/pass to be the same on both - if one gets compromised, you have to assume that everything on it is known. If they can get the user/pass, then if the other firewall also had that... what is the point of having two then?

The discussion I was having with the other tech person was whether or not we have hit the point where home use merits this, and also if Windows Firewall which is built in counts as a second one while on the inside.
My argument was that the Windows Firewall was useless and that for regular Joe home users, they don't need two firewalls - just one hardware home level one should do.

As should be obvious on this blog - I frequently discuss all IT things since they all interrelate - better security measures keeps out the threat of people abusing your network for a variety of reasons. From getting users lists to spam you, to getting in and spamming using your system going out.

No comments:

Post a Comment