Are two firewalls better than one? Will using more than one firewall cause network latency? These questions about firewall placement and how many you need are answered in this section of the Network Security Firewall Guide.
Table of contents:
Introduction to firewalls
Types of firewalls
Firewall know-how
→ Who is responsible for firewalls?
→ Are two firewalls better than one?
→ Placement of a firewall
Firewalls for network security and auditing
Firewall purchasing advice
 Firewall know-how: What firewalls protect |
 |
| Troubleshooting firewalls |
| In this Firewall troubleshooting guide, Microsoft MVP Brien Posey provides troubleshooting tips for common Windows firewall configuration issues. |
|
|
|
|
Many people think that as long as their SAN or NAS is behind a firewall then everything is protected -- this is a myth of network security. Most storage environments span across multiple networks, both private and public.
Storage devices are serving up multiple network segments and creating a virtual bridge that basically negates any sort of firewall put in place. This can provide a conduit into the storage environment, especially when a system is attacked and taken control of in the DMZ or public segment. The storage back end can then be fully accessible to the attacker because there is a path for the attack.
Firewalls for Dummies author Kevin Beaver explains more about firewall myths in this expert response.
| Who is responsible for firewalls? |
Information security extends beyond networks and has much wider domain coverage. It's always a good practice to have a separate InfoSec department that works with all the business units and departments and helps implement the organization's ISMS. In regards to networks, Infosec works as an architect whereby they create IT security designs, policies, procedures and define IT security controls based on information security standards for network security. Network Team takes these as inputs and helps implement and enforce the same on their network infrastructure. An example of this is controlling inbound/outbound access through firewall rules.
This text was excerpted from the Who is responsible for firewalls? expert response with Puneet Mehta.
| Are two networks better than one? |
Most enterprises use a combination of firewalls, virtual private networks (VPNs) and intrusion detection/prevention (IDS/IPS) systems to limit access to internal networks. Generally speaking, there isn't much work to do in these areas; it's about maintaining these controls and adapting them as dynamic infrastructures change. The maturity of the technology offers the opportunity to focus limited financial and human resources on more challenging problems, such as endpoint/server management and application security.
SearchSecurity expert Mike Chapple says that two firewalls from different vendors may not cause processing delays, but if not used and arranged correctly, the devices can become a hassle for IT teams. If you're experiencing network latency by adding an additional firewall consider the placement of the firewalls. Are they both directly connected to each other with nothing else in between? If that's the case, consider using a different firewall topology that will get the most out of the two firewalls.
Read the rest of this Q&A about how to get the most out of two separate firewalls on SearchSecurity.com.
| Placement of a firewall |
When developing a perimeter protection strategy for an organization, one of the most common questions is "Where should I place firewalls for maximum effectiveness?" Chapple breaks up firewall placement into three basic options: bastion host, screened subnet and dual firewalls.
The first, bastion host topology, is the most basic option, and is well suited for relatively simple networks. This topology would work well if you're merely using the firewall to protect a corporate network that is used mainly for surfing the Internet, but it is probably not sufficient if you host a Web site or e-mail server.
The screened subnet option provides a solution that allows organizations to offer services securely to Internet users. Any servers that host public services are placed in the Demilitarized Zone (DMZ), which is separated from both the Internet and the trusted network by the firewall. Therefore, if a malicious user does manage to compromise the firewall, he or she does not have access to the Intranet (providing that the firewall is properly configured).
The most secure (and most expensive) option is to implement a screened subnet using two firewalls. The use of two firewalls still allows the organization to offer services to Internet users through the use of a DMZ, but provides an added layer of protection.
To read a more in-depth description of these options view the rest of Chapple's tip on firewall placement.
Continue to our Firewalls for network security and auditing section →
