topic Best practices for firewall external interface addressing in Network Security

Best practices for firewall external interface addressing

B. BELHADJ — Tue, 12 Mar 2019 03:36:42 GMT

Hi all,

Can anyone explain what is more secure when addressing the outside interface of a firewall in a network diagram?

1st option:

ISP router:

interface 1 (connected to the internet).

interface 2 to the firewall with public ip address.

Firewall:

interface 1 (connected to the router): public ip address

interface 2 (connected to internal network): private ip address (RFC1918)

2nd option:

ISP router:

interface 2 (connected to the internet (ISP)).

interface 1 to the firewall with private ip address (RFC1918).

Firewall:

outside interface 2 (connected to the router): private ip address (RFC1918)

inside interface 1 (connected to internal network): private ip address (RFC1918)

Any response is welcome.

Best practices for firewall external interface addressing

Jon Marshall — Mon, 27 Jan 2014 22:49:14 GMT

It's not so much what is more secure as where you want to do the NAT and how may public IPs you have.

So if you only has a small block of public IPs and you wanted to use them for NAT on the firewall then you could use a private link between the ISP router and the firewall.

Usually though an ISP gives you two blocks, a /30 for the point to point link and then a larger subnet for actual use on the firewall.

For a single ISP setup doing the NAT on the firewall is usually the way it is done especially if you are using VPNs as if you NAT on the router it can interfere with the VPN.

If you end up with multiple ISPs then you may need to move some or all of the NAT configuration to the routers although it is not always necessary and you may still do it on the firewall. It depends on a lot of other things such as IP addressing, ISP advertisement of public IPs etc.

Jon

Best practices for firewall external interface addressing

Marvin Rhoads — Mon, 27 Jan 2014 22:53:51 GMT

Option 2 is more secure because it will break the network for most use cases.

Option 1 is necessary assuming your firewall is the device that performs NAT for outbound traffic. It is also necessary if the firewall also provides either site-site or remote access VPN services as you need a public IP to access it for those functions.

A firewall is by design hardened against public attacks. If you want to further reduce the attack surface you can filter unwanted ports at your upstream router but that incurs administrative overhead and introduces the risk of more errors in configuration thus compromising availability in a different way.

Best practices for firewall external interface addressing

B. BELHADJ — Mon, 27 Jan 2014 23:37:19 GMT

Thank you jon.

Best practices for firewall external interface addressing

B. BELHADJ — Mon, 27 Jan 2014 23:37:47 GMT

Thank you Marvin.