PREVIOUSLY: Introduction to firewalls
Are two firewalls better than one? Will using more than one firewall cause network latency?
These questions about firewall placement and how many you need are answered in this section of our firewall guide.
Table of contents:
Many people think that as long as their SAN or NAS is behind a firewall then everything is protected -- this is a myth of network security. Most storage environments span across multiple networks, both private and public.
Storage devices are serving up multiple network segments and creating a virtual bridge that basically negates any sort of firewall put in place. This can provide a conduit into the storage environment, especially when a system is attacked and taken control of in the DMZ or public segment. The storage back end can then be fully accessible to the attacker because there is a path for the attack
Information security extends beyond networks and has much wider domain coverage. It's always a good practice to have a separate InfoSec department that works with all the business units and departments and helps implement the organisation's ISMS. In regards to networks, Infosec works as an architect whereby they create IT security designs, policies, procedures and define IT security controls based on information security standards for network security. Network Team takes these as inputs and helps implement and enforce the same on their network infrastructure. An example of this is controlling inbound/outbound access through firewall rules.
Most enterprises use a combination of firewalls, virtual private networks (VPNs) and intrusion detection/prevention systems (IDS/IPS) to limit access to internal networks. Generally speaking, there isn't much work to do in these areas; it's about maintaining these controls and adapting them as dynamic infrastructures change. The maturity of the technology offers the opportunity to focus limited financial and human resources on more challenging problems, such as endpoint/server management and application security.
Security expert Mike Chapple says that two firewalls from different vendors may not cause processing delays, but if not used and arranged correctly, the devices can become a hassle for IT teams. If you're experiencing network latency by adding an additional firewall consider the placement of the firewalls. Are they both directly connected to each other with nothing else in between? If that's the case, consider using a different firewall topology that will get the most out of the two firewalls.
When developing a perimeter protection strategy for an organisation, one of the most common questions is "Where should I place firewalls for maximum effectiveness?" Chapple breaks up firewall placement into three basic options: bastion host, screened subnet and dual firewalls.
The first, bastion host topology, is the most basic option, and is well suited for relatively simple networks. This topology would work well if you're merely using the firewall to protect a corporate network that is used mainly for surfing the Internet, but it is probably not sufficient if you host a Web site or e-mail server.
The screened subnet option provides a solution that allows organisations to offer services securely to Internet users. Any servers that host public services are placed in the Demilitarised Zone (DMZ), which is separated from both the Internet and the trusted network by the firewall. Therefore, if a malicious user does manage to compromise the firewall, he or she does not have access to the Intranet (providing that the firewall is properly configured).
The most secure (and most expensive) option is to implement a screened subnet using two firewalls. The use of two firewalls still allows the organisation to offer services to Internet users through the use of a DMZ, but provides an added layer of protection.