Re: Split internal with access back through the PIX

dopenfield · ‎06-04-2003

Could someone point me to a link(s) on Cisco's site to help me quickly explain, to a network manager, why the following scenario is technically not prudent from either a firewall or network architecture Other tasks prevent me from taking the time to research this today and I need to get this documented and explained, to possibly several layers of mgmt, by the end of the week.

Campus environment with a Class B. Currently all traffic comes through a single router to the Internet. Wants to segment off a portion of that address space to not go through the firewall,( unprotected to/from the Internet ) but still retain access back through the firewall to the protected portion of the address space. As an added bonus the address space may be assigned in a fragmented enough manner to defy this being a simple access-list solution to break the security.

I understand the issues but am not local to the mgr I need to explain this to to draw him some pretty pictures and verbiage.

mostiguy · ‎06-04-2003

Your chain is only as strong as its weakest link. If you have legions of machines with unfiltered access to the "secured" machines, then your security is only as strong as that of those unfiltered machines = not much at all.

Simplicity is security's best friend. The easier it is to misconfigure something, the easier it is to be configured in an insecure fasion. Having a bizarre network layout really only makes sense in a transitional stage if need to need to reroute netblocks behind the firewall in a staggered migration, but otherwise would be very ugly.