Solved: Layered Firewalls Implementation

Maro.Cisco · ‎06-26-2013

Guyz right now , i have 2 periemter firewalls which im relying on and since im replacing them soon i was thinking of buying more firewalls for the Layered firewall implementation but i really want to understand what is the point of applying 3 layers of firewalls for example , like what i will be trying to achieve for a better security ????

mmangat · ‎06-27-2013

Hello,

The firewall implementation must be designed and configured to implement security functions as a layered structure. An isolation boundary, using separate partitions and domains, must be used to minimize interactions between layers of the design. The lower layers of the design should not depend upon the upper layers. If one layer experiences an error in functionality or security, this should not impact the function of the remaining layers. This layered design minimizes the risk of leakage or corruption of privileged information. This control is normally a function of the firewall application design and is usually not a configurable setting; however, in some applications, there may be settings that must be configured to optimize function isolation.

View solution in original post

Scott Fella · ‎06-27-2013

Firewall questions should be posted in the Security Firewall forum. This forum is strictly wireless.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

mmangat · ‎06-27-2013

Hello,

The firewall implementation must be designed and configured to implement security functions as a layered structure. An isolation boundary, using separate partitions and domains, must be used to minimize interactions between layers of the design. The lower layers of the design should not depend upon the upper layers. If one layer experiences an error in functionality or security, this should not impact the function of the remaining layers. This layered design minimizes the risk of leakage or corruption of privileged information. This control is normally a function of the firewall application design and is usually not a configurable setting; however, in some applications, there may be settings that must be configured to optimize function isolation.

Maro.Cisco · ‎06-27-2013

ok another question correct me if im wrong , by default a firewall will deny all traffic in and so i need to open up ports to let traffic in , but still after doing this, firewall will not allow traffic when its initiated from outside world and that's the use of stateful packet inspection ????

kcnajaf · ‎06-27-2013

Hi Maro,

Firewall will allow traffic from a high security level (like inside interface which has security level of 100) to low security level interfaces (like outside interface or DMZ interface which has security level which have any value less that 100) by default with out access-list. If you need to allow traffic from low to high then you need to specifically allow it through access-list.

With stateful packet inspection what firewall does is, it maintain a table of all the traffic which goes from inside to outside and the return traffic will be allowed (not need of any specific acl) only if the traffic is initiated from inside and have an entry in firewall stateful table,

Hope this helps.

Regards

Najaf

Please rate when applicable or helpful !!!

Maro.Cisco · ‎06-28-2013

Thanks Najaf but i need to ask design question , i have servers that will be exposed to the internet access , also i have server farm which will be used to internal use , now what do u think of this design , Internet-----Redundant Firewall1 with IPS------Firewall 2----------Core switch -------------Distributuion switchs-------------End user.

Firewall1: outer interface to internet , Internal interface to firewall2 , DMZ interface to DNS and EMail server

Firewall2 : Outer interface to firewall1 , DMZ interface to Server Farm , internal interface for core switchs.

i was thinking to place Websense and bluecoat proxy servers to DMZ interface with server farm is this valid ????